What’s the best way for a malicious party to gain access to broadcast at people you know? Is it through malware that invades your computer, rifles through your contacts list, and sends out email? Tut-tut, that’s so 2009!
Mac users have often been smug about contact spamming because even when limited instances of malware hit the wild, they don’t hijack our email accounts and tap our address books. iOS users have an even broader smirk about the same issue. On the Windows side, Microsoft’s early decision to integrate email and with the OS’s scripting engines made it too easy for spammers to take over and tell all your friends about the latest weight-loss supplement. Opening a message with a maliciously crafted anything would seemingly unleash a torrent of messages.
Of course, malware still exists, and naturally some of it tries to use contact lists (though turning a computer into a zombie that sends out spam from addresses supplied by the crooks is more likely). But the juncture to watch now is the intersection of social-networking logins and app permissions.
Discount Ray-Bans, anyone?
I’m sure you’ve seen it: You’re in Twitter, and you get a direct messages or an @-message from a friend or someone who doesn’t seem to be a spambot, and they’re telling you about an amazing opportunity to buy gold. Your friend’s account password has typically not been compromised. (Although, this is a reminder to tell your friends to turn on two-factor authentication everywhere they can.)
Rather than attack individual accounts, ne’er-do-wells now often attack services that have been given permission by people to post on their behalf. A single compromised service might yield thousands to millions of tokens that malicious parties can use to aid in identity theft, to run “I’m stranded in [city] and please wire $500” scams, or to post spam or links to comprised sites that install zero-day or recently patched exploits.
My suggestion? It’s time to tune up and tune out. If you don’t recognize an app or site or no longer use it, remove it from your list. You could also nuke all connections and then re-connect as prompted by apps you continue to rely on, though that’s a more severe option.
Check permissions on Facebook
I have to hand it to Facebook: Despite having a negative reputation, somewhat alleviated in recent years, about making free and easy use of your private information, it does work hard now to encourage users to stay on top of privacy settings. When I logged in to Facebook to pull out details to write this column, it greeted me with a friendly dinosaur reminding me to use its Privacy Checkup. (Who doesn’t like a friendly dinosaur?) This wizard walks you through your settings and suggests which to review. Bravo.
You can always find the Privacy Checkup in a browser by clicking the lock icon in Facebook’s top menu. To go straight to your third-party app permissions by going directly to settings, and clicking the Apps link (or follow this link). This reveals a list of every app and website you’ve approved and what you’ve allowed each app to do at Facebook on your behalf.
Facebook tells me I’ve authorized 121 apps to have some kind of interaction with my account, and browsing the list tells me I should revoke access to a ton of them—in part because I can’t even remember most of the names. Hover over an app and click the pencil to edit permissions or the X to remove its access.
Check permissions on Twitter
In Twitter, you can visit Settings and click the Apps link as well. Twitter sorts the list in what seems to be an arbitrary order (neither by date nor alphabet), but it shows the date you approved the conduit. You can click the Revoke button to disable access, though Twitter gives you an option to click again to restore it.
If you’ve approved apps via built-in support in iOS, you’ll see a note next to those about “Learn how to revoke an iOS app.” The short answer is you have to find the entry titled “iOS by Apple” and revoke it, which cancels all access granted through iOS, but here’s Twitter’s longer answer.
Don’t forget Google and the rest
Google can use your account both to act as a substitute login at other sites, as well as to allow sites or apps to interact with your Google+ posts and settings. Click your icon on any Google page where you’re logged in, then click My Account. Below Sign-In & Security, click Connected Apps & Sites. Then click Manage Apps. You can click any name in the list to see assigned permissions and click Remove to disable access. (You can also use Sign-In & Security to check through recent activity from devices.)
You can look for similar settings at other social and professional sites, like Foursquare and LinkedIn, and at discussion networks, like Disqus, Gigya, and LiveFyre.
The good news is that because developers who use social networking and other APIs to act on behalf of users are required to register a unique app identity with each service, misuse is easily crushed by the service operator. But not always before an enormous number of messages go out.
Reducing the number of apps that have access to your accounts decreases the potential for your friends to send you pitying emails: “Friend, you got owned!”