I'm posting this because this morning, my twitter account started spewing out hundreds of DMs to all my followers. So I thought I'd provide an explanation for how this happened.
Firstly I would like to take this opportunity once again to apologise for letting this happen. I'm usually scrupulous with security and this is a lapse which could have been avoided with a little bit more thinking.
Right, so the situation: I was perusing tweets and DMs in my usual manner on my iPad before getting out of bed on a Sunday morning, when I saw a DM sent to the @GoSquared twitter account saying something along the lines of "hey, someone's been saying nasty things about you [some link]" (I can't remember the exact wording because I've deleted it now and forgot to take a screenshot). Now, while in some circumstances this might scream spam straight off, it is an unfortunate fact that there was a nonzero probability that there actually was someone saying nasty things about GoSquared. So I tapped the link.
Now, had I clicked that link on my computer, I would have seen this (click to embiggen):
This would definitely have sent alarm bells ringing, not only because the URL is "twititre.com", but because I force SSL on all twitter pages for my account, and this page wasn't encrypted. But no, because I was on my iPad, I saw this:
Notice that the two major warning signs I would have seen on a desktop browser (the incorrect domain and lack of encrypted connection) aren't visible here. The effect is further compounded by the fact that twitter has been known in the past to break their mobile website, even in their own apps, and force you to log in again. So I wasn't entirely surprised to see this screen. And to be fair to the scammers, it's not a bad knockoff. If they'd have just put in a tiny bit more effort to get the logo and copyright date right, there would have been absolutely nothing to indicate I wasn't actually on the real twitter.com. And it's not specifically tweetbot's fault at all. The same would have happened had I been using any other twitter client that opens links within the app.
This highlights a rather severe and fundamental design problem with apps that incorporate web views. If they don't show the URL and they don't give any indication whether or not a connection is encrypted, it's incredibly easy for someone with nefarious thoughts in mind to clone another website. I was lucky, because I only use that password for twitter. But what about people who use the same password in several places?
Another problem that became apparent when I was trying to rescue my account once the @mentions came flooding in saying "Err, what the hell is this?", was that the main Twitter website just doesn't show all DMs. It's reasonably good at showing active two-way conversations that have happened fairly recently, but for anything else (like, for example, when your account's sent out a pile of spam DMs), it only shows a tiny proportion for some reason. Which made it extremely hard to gauge the magnitude of the situation. Luckily, their API is less unreliable, so I could check out all the DMs I had (apparently) sent in Tweetbot (once I'd reactivated its permission to access my account) and get to work deleting them and sending follow-ups ("Sorry, I'm a complete moron. Won't happen again" type thing). This is definitely something twitter needs to sort out.
And once again, most sincere apologies if you've received such a DM from me this morning. And if (heaven forbid) you fell hook, line and sinker just as I did, for God's sake, change your password (and anywhere else you use that password), and revoke all app access immediately!