Twitterank1 (@t_rank) just heavily hit the Twitter. Many people talked about it, most are just retweeting. It started with Gullible Twitter users hand over their usernames and passwords - did you get your Twitterank yet?! then Is Twitterank Ranking Your Popularity Or Stealing Your Password?. Someone also took a screenshot of the HTML source, by that HTML comment to judge Twitterank is a phishing. If you visited Twitterank more earlier, you directly saw that paragraph. The author, @ryochiji, commented out that after an update. When you read the author’s resume2, it’s harder to believe a Google employee and former Yahoo! employee would do a phishing thing. But so far, there is no solid proof for the entire thing.
However, there is a security concern of Twitterank. You password sends out in clear text. No SSL. The form data is not sent out via SSL. If someone’s password get stolen and this is not phishing, then that’s a possible way how a bad guy gets their password.
Later, the author posted a blog post, however, that explains nothing. If you track tweets, it’s funny to read the rumor gets bigger and more dramatic, just like this. Also another guessing, the author is trying to push Twitter to improve their authentication.
If this turns out a false alarm, please apologize to the author, that really hurts; if this is true, the author trying to steal passwords, then we all know where he works (maybe that resume is fake); or he tries to force Twitter for better authentication, he still needs to be blamed, this is a really bad way to do a good thing.
Anyway, special thanks to those who happily play with Twitterank and then change their passwords, you and your tweets just made my day.
(Just have this thought if: Twitterank->Twitter prank->TwitterPrank, and P stands for Password. Just for fun, please don’t hate/beat me.)
Update: there is a guest post by the author on ZDNet. I still don’t see any apologies, the credibility on Internet has gone long time ago.
[1] | http://twitterank.com/ is gone. |
[2] | http://ryo.iloha.net/me/resume.html is gone. |
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.