How to deal with #Twifakes

Aug 20 2010

Twifakes is a spam website created by Cairo Noleto @caironoleto and Cleiton Francisco @cleitonfco. I’m sure they’ll be happy to answer any questions you may have about it.

You may have seen the website at http://twifakes.heroku.com/ which promises to tell you how many “fake” Twitter followers you have.

Do not authorise this website. It tweets without your permission and there’s no telling whether it may do other damage to your account.

If you’ve authorised it, here’s what to do:

  1. Go to your Settings/Connections page on the Twitter website and Revoke Access for the Twifakes app.
  2. Delete the tweet that Twifakes sent from your account. This will slow the spread of the site.
  3. Notify Heroku that they are hosting a malicious website.
  4. Notify @spam and/or @safety about the site. #Twifakes doesn’t have its own Twitter account.

In case you’re wondering, your number of “fake” followers is the number of followers you have divided by twelve. Hardcore algorithm.

Twitter is currently in the process of closing down the old Basic Authentication system which meant you had to give apps your password before they could read or write your account. Obviously this system was open to abuse, but the upside was that people were generally pretty careful about where they disclosed their password. Ironically, the new OAuth authentication system that doesn’t require you to give your password to an app is also open to abuse because people are more likely to trust it.

Twitter needs to be much clearer about what a requesting app is being authorised to do with your account (if legitimate, #Twifakes would only need read access, not write access) and be much quicker about closing malicious apps such as this.

Tags: , ,

12 responses so far

  1. Tweets that mention How to deal with #Twifakes | Adrian Short -- Topsy.com
    on 20 Aug 2010 at 7:17 pm

    [...] This post was mentioned on Twitter by Adrian Short, Evidence Matters, Evidence Matters, sfsutcliffe, Niklas Hellgren and others. Niklas Hellgren said: @Tuss84 Det är en fejk@Tuss84 http://blog.adrianshort.co.uk/2010/08/20/how-to-deal-with-twifakes/ [...]

  2. Twitted by zacharyparadis
    on 20 Aug 2010 at 8:42 pm

    [...] This post was Twitted by zacharyparadis [...]

  3. Twitted by WorldHistory102
    on 21 Aug 2010 at 10:43 am

    [...] This post was Twitted by WorldHistory102 [...]

  4. J.T.
    on 21 Aug 2010 at 11:55 am

    The Twifakes number of fake followers is simply your total number of followers divided by 12.

    I’m suspicious of this application. If I were a hacker, and I wanted to gain access to people’s Twitter accounts, this is exactly the kind of application I would create.

    It might be fine; I don’t know. But people should be careful about giving a stranger access to their account.

  5. » Habe ich gestern, als ich nach meiner ersten Beg … Nachtwächter-Blah
    on 21 Aug 2010 at 12:59 pm

    [...] Habe ich gestern, als ich nach meiner ersten Begegnung (und einem kurzen Überfliegen der API-Dokumentation) mit der neuen OAuth-Authentifikation von diesem Zwitscherding noch vom Fail des Tages geblaht hatte, immerhin noch spekuliert, dass so etwas vielleicht zum Schutz vor Spam und geownten Accounts gedacht sein könnte, so muss ich heute schon das Folgende dazu lesen: Es ist schon etwas ironisch, dass das neue OAuth-Verfahren der Authentifizierung, das von seinen Nut…… [...]

  6. Cairo Noleto
    on 21 Aug 2010 at 2:57 pm

    Hi, I’m the creator of the Twifakes.

    You can understand Twifakes only read the readme!

    See at http://github.com/GuruPI/twifakes/blob/master/README.mkdn

  7. Cleiton Francisco
    on 21 Aug 2010 at 3:32 pm

    It’s a joke! Just for fun!

    Enjoy it. :D

  8. Adrian Short
    on 22 Aug 2010 at 9:38 am

    Tweeting a viral link on users’ accounts without their permission isn’t fun, it’s spam.

    Stop it.

  9. And Then, Under the Guise Of Jesusness, A “Fake” Twitter App Arose From the Spammy Ashes « weirdlover
    on 23 Aug 2010 at 11:00 pm

    [...] number), so one of her dedicated followers was kind of enough to point her to Adrian Short’s excellent Twifakes post. In it, Adrian offers the following bit of quasi-conspiratorial (albeit excellent) advice: You may [...]

  10. Cleiton Francisco
    on 24 Aug 2010 at 10:50 pm

    The user need click at “Tweet this” button. What other type of permission you want? On paper?

    Ha! Ha! Ha!

    You are very funny!

    Good Luck! :D

  11. Dan
    on 26 Aug 2010 at 12:13 am

    For now, the Twifakes program is not tweeting without a user’s permission. From what I’ve read (from several users), this is a change from the original program, which DID tweet from people’s accounts without any warning.

    As I understand it, OAuth authorization does NOT expire. It will continue to provide access to an account indefinitely, unless it is specifically deauthorized. That, to me, is the real danger of a program like Twifakes. Many Twitter users do not realize that they can, and should, deauthorize an app they no longer need or want to use.

  12. Cleiton Francisco
    on 26 Aug 2010 at 11:42 am

    Dan,

    OAuth ofers a key for authentication. This key can be stored and used to use other times, otherwise, an application can use only once.

    Twifakes doesn’t using database or other storage. You can see source on http://github.com/GuruPi/twifakes

    Enjoy Yourself! :D