Monday, September 26, 2011

Botamba Owns Your Twitter Account

Updated
Scroll to the bottom for the updates.


Botamba.com is a blog aggregator and it used to allow creation of users and then each user would link his/her blog(s).

I checked yesterday after a friend mentioned it redirects to twitter now, and it seems like they did changed their methodology to requiring Twitter and it asks to allow their application to access your Twitter account!!! It was based off a typical user/pass authentication previously.

What's worse is that their application gets the following permissions:
  • Read tweets from your timeline (even if it's private)
  • See who you follow, and follow new people
  • Update your profile
  • Post tweets for you
It can not do the following:
  • Access your direct messages
  • See your Twitter password

Why does a blog aggregator needs access to my Twitter account, see my timeline, post for me, update my profile & other privileges?! That's a massive privacy invasion, even if it provides certain ease of use for some users (to use their existing accounts).

If you did not know about this, and you've already allowed Botamba to access your account, you can deauthorize it by going to your profile settings, applications and deauhorize it from there.


So what could Botamba do?
They can get your tweets and follower list and sell that information to advertisers (currently sponsored by Zain). Advertisers can use the info to send you targeted advertisement by reading your tweets and seeing where you have been or what you liked and talked to with your friends.

How can I tell if Botamba posted on my timeline?
Some Twitter clients show the name of the program that posted on the timeline. In this picture you can see under the tweet the line "from TweetDeck." That's the name of the program and in case of Botamba, you'll see the line "from Botamba."

Solution?
Ask Botamba to NOT use Twitter for authentication & not invade your privacy (even if they *promise* they wouldn't), and ask them to put back the old user registration system, or use OpenID instead.

I'm waiting for a comment from Botamba on this issue to see what they have to say about this.

Update:
- Oct 4th: Botamba has deployed a user/pass authentication system. You can link your Twitter account but it gets read-only access to your timeline
- Oct 5th: Botamba's valid reasoning in using Twitter account-linking: If you own a public Twitter account that you'd like to be mentioned in Botamba's tweets/posts, you can link it to your account (read-only mode & only reads your public timeline). If you have a private account, you wouldn't want it to be public & tweet it, so you won't add it.

In the end, I'd like to thank Botamba for being responsive and understanding to the sensitivity of users' privacy!

Thursday, September 1, 2011

SSL Certificates Stolen

The issue of DigiNotar's breach keeps getting worse; Computer World writes that over 200 SSL certificates have been generated & stolen, signed for Google, Yahoo, Mozilla, Tor Project among many others.

Google & Mozilla have updated their browsers to remove the affected certificates/invalid signatures, but in the latest build of Chrome on Linux (13.0.782.218) I still see DigiNotar as a CA.

I suggest you delete DigiNotar from all your browsers as it's not worthy of trust at the moment. Remember, if you update your browser, double check its existence as it may be added again by the update.