QR-jacking is the act of covering up a QR code and replacing it with an alternative - often malicious - code. Your carefully crafted code could be replaced by one which... Points to a rival's site. Calls a premium rate phone number. Redirects the user to a site which EXPOSES THE TRUTH BEHIND... Goes to a non-legitimate site which asks for credit card / personal details. …
Continue reading →
Quick Summary Twitter's secure API hides the contents of the tweets you are reading. But it doesn't hide the images of those you converse with. Raised as Issue 2175. A Bit More Detail Twitter has a secure (HTTPS) and insecure (HTTP) API. When calling the secure API, all the content of the returned message (tweets) are encrypted. Eavesdroppers only see the cipher-text - essentially garbage. …
Continue reading →
Why doesn't Twitter's OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you've given access to your Twitter account. Are you ever going to use that "See how many of your friends like cheese" app again? No. Long time readers will know that I have some severe usability and security concerns with Twitter's OAuth implementation. See also my …
Continue reading →
This morning, when I logged on to Twitter, I saw a user who I didn't recognise tweeting away in my timeline. I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar. But, in thinking about how a spammer could infiltrate one's timeline, I think I came up with a fairly bullet-proof method to spam…
Continue reading →
Twitter have announced that all third party site will have to use OAuth. You will no longer be able to just type in your username and password to get access to Twitter via your favourite web client. Usually, I would be a big fan of this move - especially if it forces password anti-pattern sites like TwitPic to implement the new, secure standard. This means that you won't be able to log in to a …
Continue reading →
I'm a big fan of OAuth - despite some claims to the contrary. It's an excellent way of teaching people not to stick their username and password into any old site which asks for it. Which is why I'm so incredibly disappointed in Twitter's implementation of mobile OAuth. For a service which started out operating by SMS, Twitter takes a surprisingly unenlightened view of mobile. It's main mobile …
Continue reading →
Twitter has a gaping security hole. Changing your password won't stop malicious users logging in as you! I received a rather worrying email from Twitter. Apparently they thought my password had been compromised and needed to be reset. Reset Your Twitter Password After checking to see if it was valid, I went and changed my password. Any site which relied on a cookie to post to Twitter would h…
Continue reading →
Monitoring your home or business used to mean having an array of unsightly camera feeding grainy, washed out pictures into a row of VHS machines. In recent years we've seen the move to digital pictures, infra-red beams for night vision and, most recently, viewing over the Internet. What's the next logical step? Viewing on your mobile, of course! Two British companies have come up with some…
Continue reading →
