Recently Twitter accounts belonging to Duke University, Forbes and Amnesty International were hacked, sending out Tweets of swastika-laced propaganda supporting Turkish president Recep Erdogan.
Given the institutions involved, the accounts were likely protected by stringent security measures like two-factor authentication and strong passwords. But that wasn’t enough to stop the hackers.
The issue here is app permissions. If you’ve ever logged in to a site using your Facebook account, for example, you’ve used app permissions. It’s convenient, and you don’t have to worry about creating new passwords. Unfortunately, this convenience creates a security issue.
In the case cited above, it was an app called Twitter Counter that was the problem. This app is designed to give users analytics on their accounts, but it requests permission to tweet as well as see your data. If Twitter Counter is compromised, hackers can use that access to tweet anything they like from your account.
Access is limited, and these types of apps can’t change your password. Moreover, they never get your real password. Your main account authorizes the apps using a “token.” If you think of your main password as a house key, app permissions are like keys to the garage. The more of these that exist, the more likely it is that a nefarious person could obtain one and try to steal your car.
What can you do? Revoke as many permissions as you can and do it regularly. Every account offers a way to look through what apps have access to your account, and it’s wise to have a look at the list and remove anything you don’t use or don’t trust.
On Twitter, click the avatar at the top right, next to the Tweet button, and select settings and privacy. You will see a list on the left side. Click Apps, then click Revoke Access next to anything undesirable.
For instructions on revoking access for Google and Facebook, please see:
How Hackers Can Break Into Your Accounts Without Your Password | Popular Mechanics