Skip to content →

“hey! 23/Female. Come chat with me on my webcam thingy” attack on Twitter

Can’t believe this hasn’t been picked up by the major blogs yet, but I’m seeing a lot of friends having their twitter account compromised with this unauthorized tweet:

hey! 23/Female. Come chat with me on my webcam thingy here www.chatweb*********.com

(redacted by me).

A quick search on Twitter Search shows this is happening to a very large amount of people. (If you do visit the site, be aware it’s NSFW).

How is this happening?

The most likely vector of this attack is probably via one of the numerous 3rd party Twitter services that ask for your username and password in order to provide additional functionality (statistics, alerts, etc).

It’s unlikely that any reputable service would have done this intentionally, but very likely someone was able to maliciously gain access to their database and steal all of the twitter username/passwords. Because these services must authenticate with Twitter directly it’s not possible for them to store the passwords hashed.

The answer to this is oAuth, which Twitter is in the process of launching.

A most recent check of Twitter search shows that the last message was posted 2 hours ago of the time of writing, which probably means Twitter put a stop to this – presumably by blocking any posting of the specific string of text. That doesn’t mean the attackers won’t try again with a different message

My advice is:

  • Change your password, especially if you have been attacked by this.
  • Never use the same password you keep for Twitter anywhere else
  • Limit the number of sites you put your Twitter username/password into.
  • Change your password often to stop old sites you don’t use still having access to your account

Published in Links News


  1. […] that means. In the meantime, as an enterprisey guy – I am far from being a happy bunny. Bonus link: Ben talks about this issue – please bookmark. posted by Dennis Howlett March 6, 2009 @ 2:46 […]

  2. Well put about OAuth. I wish there was a way to get the multitudes of reasonably popular social networks to move API authentication over to OAuth. Not only that, but OAuth needs to insist on it’s documented standard. Too many people implement OAuth and hack it up to “get it to work” and it just screws up the standards.

    I’ve written about this on my personal blog:

    Nice post. I’ve added you to my regular reads.

    I also noticed you are registered for our SXSW party on the 15th. We should have a chat.

Comments are closed.