This morning, I woke up to a Twitter direct message (DM) warning me that a bad blog had been posted about me, and urging me to click on the link to check it out. I thought briefly about checking the link on my Android, but quickly realized this was a phishing attempt from a compromised account.
There were some telltale signs that raised my guard:
- The message came from a friend-of-a-friend, someone I know peripherally in real life, but who had never direct messaged me before.
- The syntax of the message was wrong, as though it was sent by machine and hadn’t been processed by an autocorrect on a smartphone.
- The link was shortened with an unconventional shortener, not one of the more common ones like goo.gl, bit.ly, etc. Also, links in direct messages are almost always spam.
- The most telling sign of all: I had received the exact same message a few hours earlier, in the middle of the night.
What should you do if you’ve clicked on one of these bad links and a malicious application has gained access to your account? Conventional wisdom says that you should change your password. While it’s always a good idea to change your password from time to time, it won’t help if your account is already compromised.
On Twitter and many other online applications (including Facebook, LinkedIn and Google) you have to approve access for each application that wants to access your account. When you approve it, the application is given a “token” which is a random keycode that allows back-end access to some functions. So an application would be able to post to your account, but not see your personal information, for example. More importantly, the application never sees your password. Even more importantly, the application continues to have access until you revoke the token, even if you change your password.
To revoke access on Twitter:
- log in to your account on twitter.com.
- Along the top of the screen is your profile picture and username. Click on it to drop down a menu, then click on the Settings option.
- The next screen is your account settings. The very last tab in this menu is Applications. Click on it.
- Scroll through the list of applications, and click the button to revoke access to any that you don’t recognize as something that you’ve approved in the past. The settings are saved immediately when you click the buttons.
As soon as you revoke access to the malicious application, your account is no longer compromised. Now go apologize to your many followers whose inboxes you’ve been spamming and warn them not to click on those links!
