My own timeline was compromised, so I started looking into this. A fake tweet was posted on my behalf with "Twitter for iPhone" as the source. I don't have an iPhone since quite some time, but I used to have the app back in the day and never revoked access until now.
Update: Automatically got an email from twitter saying:
> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
The spam tweet posted on my behalf was automatically deleted.
(Edit: For reference, the spammy link pointed to a domain called apaloreto dot info, but led to a 404 in my case)
I use a Nexus 5 but recently I got a notification from MyPermissions [0] saying "Twitter for iPhone gained access to certain permissions." I checked it and it said it had rights to post on my behalf. I quickly removed all permissions as this was rather suspicious. I would recommend doing the same.
However, I wonder, shouldn't Twitter be able to pick these messages up automatically fairly fast, after (I assume) hundreds if not thousands of users have flagged them?
Also, the spammers can't have unlimited IP's. Twitters anti spam kinda seems to lag back behind E-Mail (subjectively).
Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?
So I can't speak for twitter, but I work on anti-spam at Facebook, and imagine the problems we face are relatively similar. It's worth noting that there's a constant barrage of people trying to send varying degrees of spam. It's not like there's An Attack all of a Sudden - just occasionally people close to the HN social network happen to be targeted by something and it's magnified by the media / hive mind local to us.
> shouldn't Twitter be able to pick these messages up automatically fairly fast
Theoretically, sure. As a human looking at an attack, it's usually pretty easy to pick out "obvious" attributes that they should have been able to catch. But when you're operating at a scale like us or Twitter, even stuff that looks like it's obviously-indicative-of-badness often has false-positives (posts flagged as spam that are not). The long tail of weird stuff that a billion users do can be pretty crazy.
At the same time, the "obvious" attributes of an attack are often very cheap for an attacker to change. Instead, we try to go after more expensive resources (domains, source IPs, etc).
> after (I assume) hundreds if not thousands of users have flagged them
Sadly, looking at flags of content is not a silver bullet. The signal is very sparse (a given spam post is rarely flagged), and nonspam posts are frequently flagged (religious and political speech are great examples - and they are the worst kind of false positive if you delete them as spam). These problems can be somewhat mitigated if you aggregate flags over a dimension that's expensive for the attacker (domain-posted, IP that posted the content, text shingles), but even then the recall isn't necessarily great and you could still catch e.g. controversial political domains.
> the spammers can't have unlimited IPs
True, though you can rent space on a botnet that has many, geographically-diverse, real-user IPs. Also, I imagine a significant chunk of posts to Twitter come from apps, many of which each use a single IP to post tons of content.
> Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?
There's definitely some overlap. I'm not an expert at email anti-spam, but in general it's a relatively different problem. "Traditional" email spam is sent from some random email address on / via a compromised machine or open relay, and seems to be a relatively-well-solved. But it sounds like this twitter attack was caused by compromised accounts. At least anecdotally, it seems that email vendors are also not great at detecting this kind of attack. For example, my gmail account (with arguably the best spam protection in the industry?) gets a message every few weeks from some compromised friend's account. (i.e. someone had their email password stolen and the attacker is using it to "legitimately" send mail after authenticating to that email service with the correct password).
I don't know. Part of the normal use case of Twitter is people mindlessly retweeting something or posting the exact same thing as everyone else. That's just trending stuff. With something thousands and thousands of people are sharing, it would take quite a few flagging it to raise any red flags.
> Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?
Twitter relies on very low latency - ie, once you tweet something, if it a whole minute to appear in your friends' timelines, it could already have lost much of its value.
Lots of spam reduction techniques introduce latency to levels that are unacceptable to Twitter's use case.
I'm not sure why it didn't catch these, but I can imagine why the same techniques aren't applicable in general.
Appears to have started on March 31st and has affected > 100K Tweets. It also appears to run between the hours of 2PM and 10PM PST, peaking at 7PM each day.
My spam tweet had "Twitter for iPhone" API access as the source, and I wasn't using an iOS device at the time it was posted. It's unclear what actually happened.
[+] [-] mntmn|12 years ago|reply
[+] [-] mntmn|12 years ago|reply
> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
The spam tweet posted on my behalf was automatically deleted.
(Edit: For reference, the spammy link pointed to a domain called apaloreto dot info, but led to a 404 in my case)
[+] [-] drmarianus|12 years ago|reply
[0] http://mypermissions.com/
[+] [-] lawl|12 years ago|reply
However, I wonder, shouldn't Twitter be able to pick these messages up automatically fairly fast, after (I assume) hundreds if not thousands of users have flagged them?
Also, the spammers can't have unlimited IP's. Twitters anti spam kinda seems to lag back behind E-Mail (subjectively).
Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?
[+] [-] mkjones|12 years ago|reply
> shouldn't Twitter be able to pick these messages up automatically fairly fast
Theoretically, sure. As a human looking at an attack, it's usually pretty easy to pick out "obvious" attributes that they should have been able to catch. But when you're operating at a scale like us or Twitter, even stuff that looks like it's obviously-indicative-of-badness often has false-positives (posts flagged as spam that are not). The long tail of weird stuff that a billion users do can be pretty crazy.
At the same time, the "obvious" attributes of an attack are often very cheap for an attacker to change. Instead, we try to go after more expensive resources (domains, source IPs, etc).
> after (I assume) hundreds if not thousands of users have flagged them
Sadly, looking at flags of content is not a silver bullet. The signal is very sparse (a given spam post is rarely flagged), and nonspam posts are frequently flagged (religious and political speech are great examples - and they are the worst kind of false positive if you delete them as spam). These problems can be somewhat mitigated if you aggregate flags over a dimension that's expensive for the attacker (domain-posted, IP that posted the content, text shingles), but even then the recall isn't necessarily great and you could still catch e.g. controversial political domains.
> the spammers can't have unlimited IPs
True, though you can rent space on a botnet that has many, geographically-diverse, real-user IPs. Also, I imagine a significant chunk of posts to Twitter come from apps, many of which each use a single IP to post tons of content.
> Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?
There's definitely some overlap. I'm not an expert at email anti-spam, but in general it's a relatively different problem. "Traditional" email spam is sent from some random email address on / via a compromised machine or open relay, and seems to be a relatively-well-solved. But it sounds like this twitter attack was caused by compromised accounts. At least anecdotally, it seems that email vendors are also not great at detecting this kind of attack. For example, my gmail account (with arguably the best spam protection in the industry?) gets a message every few weeks from some compromised friend's account. (i.e. someone had their email password stolen and the attacker is using it to "legitimately" send mail after authenticating to that email service with the correct password).
[+] [-] devindotcom|12 years ago|reply
[+] [-] chimeracoder|12 years ago|reply
Twitter relies on very low latency - ie, once you tweet something, if it a whole minute to appear in your friends' timelines, it could already have lost much of its value.
Lots of spam reduction techniques introduce latency to levels that are unacceptable to Twitter's use case.
I'm not sure why it didn't catch these, but I can imagine why the same techniques aren't applicable in general.
[+] [-] fvryan|12 years ago|reply
Appears to have started on March 31st and has affected > 100K Tweets. It also appears to run between the hours of 2PM and 10PM PST, peaking at 7PM each day.
[+] [-] enthdegree|12 years ago|reply
[+] [-] eponeponepon|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] mntmn|12 years ago|reply
[+] [-] mahouse|12 years ago|reply
[+] [-] themoonbus|12 years ago|reply
[+] [-] jhdkjqhkjqhwk|12 years ago|reply
[+] [-] rplnt|12 years ago|reply
[+] [-] Houshalter|12 years ago|reply
[+] [-] aalpbalkan|12 years ago|reply
[+] [-] Kiro|12 years ago|reply
[+] [-] ossreality|12 years ago|reply
[deleted]