Thursday, July 2, 2009

Be careful what you download

Yesterday one of my favorite twitter buddies and I were recommended to download Twiping.
Twitter has changed their following page so that now you have to click an icon on each tweeter to see if they followed and turned around and unfollowed as soon as you followed them back. Twiping is supposed to make it easy to see if someone does that.

I did not install it because it told me that I would have to install NET framework in order to run it. I refused to download anything else. Good for me. Not so good for him.

Because my fellow tweeter downloaded Twiping his account got hacked. He contacted me because he was afraid I also ran the program on my computer. He is a good guy. Now his hacked account is posting spam over and over and... you get it.

Be very, very careful what you download.


  1. Thanks for that Coltpixy! Can never be too careful.

  2. I'm the author of twiPing, and it is not spyware and would not cause an account to be hacked. I'm curious if you guys have any concrete details linking twiPing to this hack, so I could prevent any problems in the future.

  3. I'm guessing it was just a weak twitter account password, not twiPing that caused this.

  4. J.D. it happened not long after he ran the program and that is what he said he, "traced it back to".

    I totally agree that a weak password will get you hacked. It is best to use a combination of characters and never use words found in a dictionary.
    It is also a good idea to never use the same password in multiple places.

  5. it is still always a good idea to research 3rd party apps like this, to make sure.

    I've found that the more users that have the app, the more likely it is to be "safer". Nothing is 100% safe on the internet anymore, and like you said, CP, "Be very, very careful what you download."

    JD, it is entirely possible that once downloaded, the source was cracked and used to hack accounts of people you are following or who are following you. (I have seen it with 3rd party Yahoo apps, and we all know how many holes Yahoo has anyway). So it may not have been the intent of your software, it could have been a crack exploit.

    I am not slamming any product here, for I've not tried "twiping" but as a general rule, only access twitter directly for my updates.

  6. Since twiPing runs locally on your desktop and encrypts and saves your credentials there, your desktop computer would have to be compromised in order to get the credentials you entered into twiPing. If your PC was compromised in this way, I would guess the attacker would be interested in things much more valuable than your Twitter password. Maybe not.

    Either way, I'm investigating using the new OAuth functionality from the Twitter API so users no longer have to provide their true Twitter credentials to twiPing.

  7. Thank you J.D.
    This whole situation is horrible. I wish it didn't happen to my twitter buddy and I wish this was not happening to you.
    I never thought that the programmer of twiping was doing the hacking but someone else taking advantage of its vulnerabilities.


Thank you for taking time to reply. I really appreciate it.