Overreaching app permissions a security threat, or “this is why we can’t have nice things”

Third-party apps often request more permissions than they actually need, including write access to for example your social media accounts. Once an app has been authorized, it has an access token basically forever until you manually revoke it.

This opens up another attack vector for hackers, which became abundantly clear this morning when pro-Turkish hackers decided to blast out a message all over Twitter.

Twitter screenshot

Including via our own Twitter account, as you can see above (facepalm). We were far from alone, though. Other accounts affected included Unicef, Amnesty International, Forbes, and a large number of “regular” user accounts.

How did this happen? So far the evidence points to a single third-party service. The offending tweets all appear to be coming via The Counter, the app for Twitter Counter, a popular stats website for Twitter. They must have been compromised, which in turn compromised all Twitter accounts that had granted Twitter Counter access. (That said, other apps may have been compromised as well, not just Twitter Counter.)

So, app makers, ask yourselves, do you really need that write permission? If not, don’t ask for it. And the rest of us, we all should think twice before granting write access to our accounts and devices, whether it be to Twitter, Gmail, Facebook, LinkedIn, or whatever it may be.


Follow us on Twitter

Like us on Facebook

Visit us on LinkedIn

We share the latest news about Atomia, event photos, and more.


[email protected]

+46 21 490 2620

Hamngränd 6,
721 30 Västerås,

Work at Atomia

Would you like to join our quest to provide the ideal hosting platform? Be part of a fun, dedicated team and work with some of the coolest companies in the hosting industry. Check out our job page.