The dangers associated with allowing third-party websites - and apps - access to your social media streams was highlighted this week after We Heart It, a social streaming service with around 25 million users, turned off its Twitter image sharing facility, following a possible stream hack.
Since early yesterday, Twitter users have seen a steady stream of tweets saying `If I didn't try this my life wouldn't have changed' following by a link. Some posts reportedly included a tag referencing Weheartit.com.
On Wednesday, We Heart It wrote on Twitter: “We've temporarily disabled sign-in and sharing via Twitter while we look into an issue. Please sign-in via email in the meantime.”
SCMagazineUK.com notes that the Twitter stream was enabled by We Heart It back in early January, using the Twitter extended API function also seen on services such as Hootsuite and Sensible.
The problem with the API access, however, is that even when the password on the primary Twitter account is changed, API access normally continues since the app or third party service can still direct-access the Twitter API portal.
Although both social media services are investigating the root cause of the spam security issue, We Heart It president Dave Williams told Ars Technica that any malicious activity has been blocked and the company is investigating further.
"Unfortunately I don't have any other information I can share at this point. We Heart It representatives later took to Twitter to say sign-in and sharing over Twitter had been temporarily disabled," he said.
Unconfirmed reports on some security forums suggest that the issue may be related to a phishing attack.
Keith Bird, UK managing director with Check Point, said that targeted phishing campaigns continue to work, as it is something of a numbers game for criminals.
"In 2013, Check Point's research found that spear-phishing campaigns are targeting a limited number of users within organisations,” he said.
And, he went on to say, by using social media profiling to create emails that are more likely to be opened by the recipients, instead of blanketing the entire organisation with an easily-detected phishing emails.
“This approach has led to more malware being planted on networks - and a 20 per cent increase in hosts accessing malicious sites compared to 2012,” he said.
Independent security analyst Graham Cluley has been doing some research on the emerging We Heart It/Twitter security issue and said that - if Twitter users make the mistake of clicking on the link - they are taken to a fake Women's Health magazine site, promoting Garcinia Cambogia `miracle diet' pills.
Many of the Twitter users sending the spammed tweets, he explained, are also members of the We Heart It social network and the tweets themselves were being sent via WeHeartIt.com.
"In other words, We Heart It users can connect their accounts with their Twitter accounts, to share their `hearted' messages with their friends. It's a bit like sharing your favourite Pinterest pins I imagine," he said, adding that he looks forward to hearing more from We Heart It about what precisely went wrong.
"We Heart It says it has now resolved the issue, and that it has not seen any evidence that users' personal data was exfiltrated during the exercise. However, there certainly wouldn't be any harm – in my opinion – if you changed your We Heart It password at the very least, and ensured that it wasn't the same as any other password you might use on the Internet," he noted.