Overreaching app permissions a security threat, or “this is why we can’t have nice things”
Third-party apps often request more permissions than they actually need, including write access to for example your social media accounts. Once an app has been authorized, it has an access token basically forever until you manually revoke it.
This opens up another attack vector for hackers, which became abundantly clear this morning when pro-Turkish hackers decided to blast out a message all over Twitter.
Including via our own Twitter account, as you can see above (facepalm). We were far from alone, though. Other accounts affected included Unicef, Amnesty International, Forbes, and a large number of “regular” user accounts.
How did this happen? So far the evidence points to a single third-party service. The offending tweets all appear to be coming via The Counter, the app for Twitter Counter, a popular stats website for Twitter. They must have been compromised, which in turn compromised all Twitter accounts that had granted Twitter Counter access. (That said, other apps may have been compromised as well, not just Twitter Counter.)
So, app makers, ask yourselves, do you really need that write permission? If not, don’t ask for it. And the rest of us, we all should think twice before granting write access to our accounts and devices, whether it be to Twitter, Gmail, Facebook, LinkedIn, or whatever it may be.