The First Twitter Worm Surfaces – Plain Passwords to Blame?

Back in March, I reported the occurance of a new worm on Facebook, which surfaced due to a phishing scam, and took over users’ profiles.  It would appear that a similar scam is surfacing on Twitter as we speak.  The scam comes in the form of a direct message to a user’s followers, stating “hey! check out this funny blog about you…”, followed by a URL.  When you click on the URL it takes you to a phished version of Twitter, looking exactly like the original Twitter site, which collects your username and password.  I’ve received about 5 of these just in the past hour so it is spreading rampantly. Twitter just reported the incident here.

Asking those that have sent the message, it would appear most of them filled out the form thinking they were logging into Twitter, so it is most likely one person that sent such a message to all their followers, starting the domino effect of spam and password collection.  This begs the question, though, which I’ve brought up multiple times in the forums and Chris Messina blogged about today on the urgency of Twitter requiring OAuth or similar Key-based authentication in the API.  It would take any application, similar to Twtply, to be sold to a spammer, full of usernames and passwords to set off such a worm.  Essentially, any application which collects your username and password right now has the potential to turn its users into Twitter zombie accounts, similar to this worm spreading currently, spreading false information, collecting bank account information, or you name the possibility.

I hope Twitter has this as their number one priority currently – stopping this worm is important, but implementing some sort of key-based authentication such as OAuth should be the next thing on Twitter’s mind, and in my opinion, that should occur even before the new API push they are getting ready to launch.  Twitter – it sounds like you need a patch applied to your service!