Woah! Read Those Twitter Authorizations Carefully

Many sites that require logging in now allow you to log in with your Twitter account and most are harmless. Some, though, have gone TOO FAR. I STARTED to log in on Huffington Post this morning and got this:

Twitter Huffington Post Login

No way, Jose! Read what this would allow them to do! (Click image to see full size)

Check out the last two bullet points:

  • Allow Huffington Post to update your profile ?
  • Allow Huffington Post to POST TWEETS ON YOUR BEHALF ?

Question 1: Why would they ever need to update your Twitter profile from Huffington Post?

Question 2: Does that mean that when you choose to Tweet a post on their site they can send it to your Twitter account or does that literally mean they can “post tweets on your behalf” meaning any tweet any time without you knowing about it?

Kelly Hungerford (@KDHungerford on Twitter) wondered the same thing when she saw the same pop-up wording for paper.li (those papers we tweet and RT regularly on Twitter). Here is the official paper.li answer to her question, “Why am I authorizing paper.li to use my Twitter account?:

  • We do not update your profile with any information. As this is a standard Twitter Pop-up, it is possible they are using it for multiple accounts.
  • Paper.li does post tweets on your behalf;  when you re-tweet or direct message from an article on a Paper.li, and / or if you activate the Promo-Tweet on your paper.

That this is a “standard Twitter Pop-up” is bad news because that means we’re going to be seeing this much more often. That this wording is so vague is worse news because even if TODAY it means tweet what we tell them, LATER it could mean they can tweet through our accounts and we gave them permission to do it!

I don’t know about you, but I don’t want any site doing anything I did not SPECIFICALLY direct it to do. This makes me wonder if I have ever approved any other such actions without catching that or whether any site that was granted access without such serious approval can retroactively change what we agreed to allow them to do.

If anyone ever notices any site tweeting for me,
please do let me know and I’ll put an immediate stop to it.

If you want to remove any application’s access or see what sites you have permitted access to your Twitter account, when logged into your account click on Settings > Applications. Unfortunately there doesn’t seem to be any way to tell what we have granted any particular app – we can only click Revoke Access.

If anyone knows of any other site that has an authorization allowing them to change or use our Twitter accounts please let us know in the comments here or by tweeting @GrowMap or by using our contact tab (above) so we can revoke access and warn others.

One other thing. Has anyone seen anything similar on connecting to Huffington Post (or any other site) via Facebook or LinkedIn?  IMHO, any connection that wants to “use” your accounts is one to disconnect immediately.

The following two tabs change content below.

Gail Gardner

Small Business Marketing Strategist at GrowMap
Creator and owner of GrowMap.com, Gail is primarily known for mentoring small businesses and encouraging bloggers to join collaborations to share skills and support small business.

Comments

  1. After publishing my article
    http://keycaptchaured.wordpress.com/2011/09/08/to-spam-or-not-to-spam-that-is-not-the-choice-anymore/
    where I wrote that even after removing access to any applications on my twitter account,
    I continued to observe spam tweets under my twitter username (account),
    my password to my twitter account was invalidated,
    I received Email from twitter support telling,
    that my account was compromised and I should pass procedure of resetting my password

    But when I use my twitter (or Google’s OpenID) account to login to other sites such as mashable.com or ipbskins.ru, I do not give them my password from my twitter (or Google) account, or any password at all!, and I am still able to use the same previously created user profiles logging into them from the same twitter account after changing my twitter’s (Google) account username and password.

    These sites, like sites on IPB (I.Board) CMS permit to tweet from such users to which I login through twitter.

    But if my twitter account or derivative accounts created through it, are compromised, they are able to post from them, though I do not see how changing passwords, username or even deleting original twitter account can now prevent such abuse.

    Do I have control over my accounts at all?
    And it is just a matter of a good will or intermediary sites or twitter to abuse them or not.
    And if they abused by resource owners (who decided to change their policies), or are compromised by 3d party, what choice do I have to stop misusing my accounts?

    As far as I see it,
    I have no control over my own accounts

    Any comments?
    De-li(a)r-ious WebMA$Oist Conspywrightor with Multiple Nym Disorder Syndrome would love you to read ..New Trends in Spamming: Spam Fused into Antispam Protection with Spamming Visitors Instead of Web SitesMy Profile

    • It sounds like a phishing site may have somehow gotten your password and if a site uses OAuth it is SUPPOSED to prevent that; however, ANYTHING can be hacked.

      As for whether we have any control over our accounts given the wording we are being presented with in these authorizations I would say that eventually the answer to that will be NO.

      I suspect they (Facebook, Twitter, Google, etc.) will gradually start selling access to our accounts and slipping first a few and then probably a lot of advertisements in there because I have no doubt the wealthy elite are extremely unhappy about losing control over those of us who still use our brains for thinking.

      They are trying to regain that control of what we can see and say and take over the Internet one way or another – and unless we are more clever than they are they will because they never give up. Look at things like Cash Pensions (how they illegally converted REAL pensions to 401Ks and then took the money back through fees and manipulation of stock prices) and imposing National IDs on us.

      The post I’ll feature in CommentLuv in this reply has a ton of information about what we’re up against. If we can’t stop them from taking away the Internet we’re using now we may have to go back to dial-in bulletin boards or create an independent Internet. Did you know the Hamm radio folks have their own satellite? Hmmm.
      growmap would love you to read ..Blog Post PromotionMy Profile

  2. I think the safest way to deal with things like this is having several e-mail addresses and use them to login to different sites. And keep one that you use for your friends etc. Just get them all together in an email program like windows live mail.
    Danny would love you to read ..Remington RM1015P 10-Inch 8 Amp Electric Pole chain SawMy Profile

  3. So, I removed access from any app in my twitter account and I still continue getting spam-tweets like
    http://twitter.com/#!/ParMoiMeme/status/111387319138910209
    which I keep as sample (removing others)

    And what choice do I have anyway, even if I read those descriptions?
    They can be wrong
    Even if I remove the earlier given authorizations from target service (like Twitter here) and even from intermediary one (like Huffington here), isn’t it just a declarative wish from user’s side?
    I wrote a follow-up:
    To Spam or Not To Spam: That is Not The Choice Anymore?
    http://keycaptchaured.wordpress.com/2011/09/08/to-spam-or-not-to-spam-that-is-not-the-choice-anymore/
    ConspiWRiGHting MA$Ohist would love you to read ..To Spam or Not To Spam: That is Not The Choice Anymore?My Profile

  4. I was going to register with my Google account, until I read they were asking to access the following:

    • Email address: (max.taffey@gmail.com)
    • Language: English
    • Google Contacts

    They provide “Allow” and “No Thanks” buttons, but clicking “No Thanks” means you don’t get to register. Sorry Huffington Post, I’m not willing to give you access to my contacts just for the privelege of commenting on you site.

  5. I noticed this yesterday when I tried to “connect via Twitter” at the Huffington Post. I failed to achieve this [1], so based on their implementation I suspect they’re too clueless to use the functionality maliciously!

    [1] http://gingerbbm.com/2011/07/postington-huff/
    Stuart Jones would love you to read ..Postington HuffMy Profile

  6. this is why im so careful in adding tools and apps in Twitter..i do’t like it when there is this disclaimer or some sorts
    Buffalo T-shirts would love you to read ..Buffalo Cool Place T-ShirtMy Profile

  7. i did wondered about this too when i add App in twitter!Does this harm you in any way?
    this also happens in Facebook right?
    wny glass block windows would love you to read ..Glass Block Window ShowersMy Profile

  8. charlie arehart says:

    This is indeed frustrating, and I’m surprised there’s not been more of an uproar over it. I experienced it, and went looking to see who else has raised it, and found this. I am pointing people to it (thanks) in the hopes of raising awareness.

    I almost wonder if the developers (choosing to ask for this level of access) are aware of it–and how some may be so put off that they will not use their service because of it. For many services that ask for this authorization, it just doesn’t seem they need it.

    I wish that Twitter would go a step further: they let us revoke an apps authorization entirely. Why not let us remove individual privileges? I’d accept the risk that this could “break” an app I do want to use. I just don’t see any app needing to edit my profile, add new friends, or post on my behalf.

  9. Digg has the same pop-up. Does this mean you can use the account to tweet from digg when you digg a story or do they mean they will use your feed for tweets of their choosing. It’s quite sloppy to be so vague.

  10. It really pays to be very careful all the time in using new applications. Thanks for the information this is something we should not neglect.

  11. I generally allow it if it is something I newly setup or added, but at the same point each time I see the …something wants to access your account I just freak out. What do you do though. Do you allow a twitter authorization and similar stuff or do you ignore it. Most likely we just click allow it, but definitely it freaks me out every time.

  12. Ingrid Abboud says:

    Hey Gail,

    This is a great heads up and one that I’m quite conscious of when I join a new application. I use to just say “to heck with it they can’t mean it” – but now I’m much more prudent.

    Speaking of which – I wanted to thank you for sending me the link to the PeerIndex group you’re curating for ComLuv DoFollow Collaborating Bloggers list.

    But I also wanted to let you know that when I clicked to register – I got the same exact screen that you displayed here where they have the right to post tweets on your behalf, update your profile and so forth. So I still haven’t registered (although I’d like to) because of that – it’s actually the first thing I noticed so this particular post here couldn’t have come at a better time.

    Just thought I’d let you know :). If you know anything else about that please do inform me.

    Thanks so much Gail. You’re doing such an incredible job here and each of your posts brings so much value to the table.

    Happy Friday
    Cheers
    Ingrid Abboud would love you to read ..Bring IT! What Are Your Favorite Technology Predictions that Were WrongMy Profile

  13. Sure I’ll notice you if I see anything like that. And anyway, thank you for warning, I usually don’t read into such notifications, just log in and without any idea of new practice.

  14. I saw the same messages on Tweetdeck, Hootsuite and Formulist. Services that most likely are reliable. But why do they ask this? Can someone enlighten us, ‘cos I’de love to use those services for my twitter account. Cheers!
    Ellen would love you to read ..Photography- A monk on ancient stonesMy Profile

  15. I saw the same message at Tweetdeck, Hootsuite and Formulist. I left their sites immediately. I’m sure there is an explanation, I mean they cannot be serious about doing this stuff. What does this mean, why do they ask this? Can someone enlighten us, ‘cos I’de love to use those services for my twitter account. Cheers!
    Ellen would love you to read ..Photography- A monk on ancient stonesMy Profile

  16. I’m not really active on Twitter but I can see why this might be disturbing for people.
    Mark would love you to read ..Sony releases firmware update for the Bravia HX929My Profile

  17. Ok, wow that’s bold. Just the other day I stopped in the mist of granting access to my FB account because they wanted access to more then I was comfortable with. The HP blows it away though.
    Extreme John would love you to read ..BufferApp a Tool for Scheduling Tweets on TwitterMy Profile

  18. Aliza Shehpatii says:

    This is not fair, Such apps should not have such authorization terms, its just so bad…. Why someone will use our twitter account on his behalf, people should think about there such negative terms and condition what they are doing with there audience… It is just disgusting, i will unauthorize all my apps from twitter account…
    Aliza Shehpatii would love you to read ..IPL 2011 Highest Wicket Takers IPL 4 Top Bowlers LeadingMy Profile

  19. Funny I was just thinking about this today when I looked at how many apps had been granted access to my twitter account (58!) couldn’t believe it was that many, but you often do it so impulsively it pays to consider the implications of what you are approving at times. I tend to be more trusting in this regard then maybe I should be at times.

  20. This kind of practice could simply be lazy coding by the site that you’re authorising – nothing more sinister (not that lazy coding is acceptable!).

  21. I’ve been seeing this more and more on apps that my friends on Twitter (and Facebook!) are using, and it’s been really confusing. On one hand, these apps seem so useful and I see them doing great things for the people I’m connected with, but on the other hand…I feel much like you do: I don’t want an app doing anything I didn’t specifically tell it to do. This vague wording is unsettling.

    Delena
    Delena Silverfox would love you to read ..epc LisburnMy Profile

  22. Apps Developers says:

    I actually just ran into the same issue on the same site a few days ago and couldn’t believe my eyes!! I am glad you blogged about it. At first I thought I must have read it WRONG so I backed out of it and tried to sign up again and there it was the same strange message AGAIN. NO WAY!! Are they kidding?? I have recently seen this on another site, a technology site but I can’t remember the name of the site and I hope this won’t become the new norm! I won’t have anything to do with it!
    Apps Developers would love you to read ..iPhone 5 App DevelopmentMy Profile

  23. Not much of twitter person but there has been some new updates in facebook as well, though not related with authentication so I think maybe some social networking sites are introducing some changes. However new updates like the Huffington Post can make anyone feel a bit scared and reluctant to try at first, definitely that kind of requests would scare me away to another page :)

  24. I think it’s too much. I am always concerned when it comes to giving access to my personal information..
    Lukas would love you to read ..How to choose the right CMS for your next projectMy Profile

  25. This is the new Twitter Oauth screen, I’ve seen a few Twitter Apps with the same options and for me I want control over my Twitter. Timelines are visible unless they are protected, so give permission, the same goes for followers etc.

    The thing we all have to remember is, just because a site is using Oauth, you still should check what the application is asking of you and if you still aren’t sure then move away, if you do find a site being naughty with your account then revoke it’s access ;)
    Karen would love you to read ..Stargate Universe Cancelled And The Fans Are Not Happy!My Profile

  26. Yeah, I don’t think this is the direction social media should open up to. Granted, folks in advertising and media will do whatever they can to reach an audience otherwise unreachable. However, it’s my belief this should be nipped in the bud, immediately! It is scary…
    Jared would love you to read ..See All Mens Gifts by YearMy Profile

  27. This still really disturbs me. I actually saw a brief cartoon that demonstrated what kind of ignorance that can ensue when things that this happen.

  28. I have seen that authorization from a lot of sources when authenticating with Twitter. It doesn’t really alarm me, especially if the source is trusted (I consider Paper.li trusted, to be honest). Of course, I can be proven wrong, but I would notice if something shady happened and I’d know how to put an end to it quickly, so I am not much worried. It is about using applications interconnected with Twitter or not using them. That kind of authorization is the price to pay, and I am willing to pay it.

  29. This is scary. I’ve always been very careful with Facebook apps – never approve any of them, because all they have is an ambiguous “this app will be able to access your data” – but I hadn’t thought about it for Twitter. Very scary.
    Danny would love you to read ..Interview with Marcus Sheridan of The Sales Lion and River Pools and SpasMy Profile

  30. Say what? When I signed up for Huffington Post (sometime back in 2009) they didn’t have that twitter account registration (luckily). And if they did I didn’t notice it, but I don’t remember using my twitter account to register. This is preposterous!
    Casper Larsen would love you to read ..Tak for henvendelsenMy Profile

  31. Nimmerklug says:

    The problem is that most applications to which I give access in twitter do not ask me anything except confirmation of access.
    Then, I see that they have gotten Write and Read access while for rare exception they do not need anything except Read access

  32. Gail, you have caught a steaming hot topic which one needs to be very vigilant these days. These days are so much fully loaded with hackers & malwares which is very difficult to recognize &keep track of them too.. They are just getting very intense day by day by adding severe complexities which is just not understandable for common users. Now-a-days everyone needs to be very aware of the happenings & also beware that hardly personal information should be shared on these social sites like Twitter & Facebook which clearly has option for re-tweeting to your followers & friends. I am astounded to read such practices are seen & enlarging rapidly!!!
    Luke Audrey would love you to read ..Promotional Headwear Caps &amp HatsMy Profile

  33. Thanks for the warning Gail. I don’t allow anyone to tweet for me and now I will be extra vigilant. If a blog doesn’t have a straight forward tweet button I don’t RT their posts either. If I don’t understand what is going on, I keep well away from it.

    Patricia Perth Australia
    Patricia would love you to read ..Alexa- have I upset or offended you!My Profile

  34. Dennis Edell says:

    Great catch Gail, it seems theses places studied privacy law under Facebook.
    Dennis Edell would love you to read ..@DennisEdell is Back Baby! Follow Me for First Chance -My Profile

  35. And so it begins! This is starting to become too much. I wonder what tricks Twitter will soon begin to use to increase its profits? This is a very uncomfortable observation. Which is the main reason why I do not have a “personal” Facebook account. No matter what improvements they make to the privacy settings. Pretty soon, we will be ‘over-sharing’ information–whether we want to or not!

    Good looking out!
    AIDY would love you to read ..Opsin by Ivan VillafuerteMy Profile

  36. Dorthe says:

    The 2nd to 4th points are vague and rather disconcerting. They’ve got to change the standard text to a clearer one.
    Dorthe would love you to read ..Vi starter med et forum om Kør Selv FerieMy Profile

  37. I really don’t understand the appeal of these kinds of ‘features.’ The internet was built on anonymity. While this has caused problems (comment trolls, anyone?), many users don’t want their reading habits and views broadcasted to all of their friends. But, I guess this is the direction we are headed in… There is too much money on the table for FB and the like not to keep moving forward on the integration of the social web and the rest of the internet.
    Jane would love you to read ..Tankless Water Heater Tax CreditMy Profile

  38. All these security standards and allowing web pages to do this or that shouldn’t even be allowed. It is illegal to impersonate another person so wouldn’t that fall under that category? I kow it is stretching it a bit but if it can damage your reputation or represent you in a way that you are not ok with then that is not ok.

  39. True. AND, it really it all comes down to our commitment to stay aware of what’s happening on our behalf (i.e., read your own tweets).

    It may be a good idea to setup notifications so that you get pinged when your tweets go out. You can do this via advanced Twitter notifications.

    See: Monitor your Twitterfeed tweets via notifications

  40. What about the part above those two points – see who you follow and follow new people. Reading the timeline – anyone can read your timeline if it’s public, so no big deal on that one. But the app is going to follow new people for me? Uh, no. :)
    Kristi Hines would love you to read ..Why I Turned Off TwitterFeedMy Profile

    • Hi Kristi,

      The “tweet on my behalf” grabbed me and I totally missed them following new people for me. Imagine the income they could generate if they could sell and send targeted tweets and followers which MAY be what this is about.

      What really annoys me is intentional use of ambiguous language like this – so if users scream too loudly they can just say “that isn’t how we meant it – and if they don’t Twitter can gradually introduce something new over time without calling attention to it by changing the TOS when they actually start using it. (Even now we have no way of knowing exactly how they mean any of those things.)

      I suspect many will just finally say, “oh well, it will be fine” and accept that new wording and see nothing new FOR NOW and then down the road we’ll see Twitter using those features. Most people would never notice new followers they didn’t follow or see the tweets they didn’t send.
      growmap would love you to read ..Guest Blogging Invitation Hiring Writers Ask Me!My Profile

  41. Hi, great post and I saw this recently on another site and I wish I could remember which one, I had a quick panic attack and left it immediately. I really don’t like the way this is going either, innocuous ‘little’ comments basically allowing people to do and say stuff on your behalf?? Not for me thank you! We laughed about Viewdle and Big Brother a while back but this another dimension and who bothers to read T & C’s, not many people, we all just smile and click away happily nowadays. Great post and if I do see anyone speaking on your behalf, I promise I’ll let you know!! Good to catch up with you again, it’s been a while, take care, best regards, Peter
    Peter L Masters MCIM would love you to read ..Social Media networking- The truth about Empire Avenue- the Empire Avenue Facebook group and being an ‘early adopter’!!My Profile

  42. David Griner says:

    I could be wrong, but I believe “post Tweets on your behalf” is required for any site/tool that includes a built-in “share on Twitter” functionality.
    David Griner would love you to read ..Coming to BlogWorld NYC- The Lessons of FailureMy Profile

  43. I get the same exact message when I sign into the Twitter account management tool, ManageFlitter. I was a bit freaked out by it at first, but I think it’s pretty harmless (or at least I hope so). Twitter must have recently changed its privacy settings, so now rules for allowing outside apps to view your Twitter information is a bit more complicated than it previously was. I’m not worried, though (or at least hope I shouldn’t be).
    Petra would love you to read ..Weltweit Daten in GefahrMy Profile

Speak Your Mind

*

CommentLuv badge