It was a busy Wednesday morning for Jayant Sharma, an avid Twitter user, when he found out from his Twitter feed, that hackers had compromised hundreds of accounts to tweet anti-Nazi messages in Turkish.
Sharma, who is a senior software engineer at a leading IT company in Bengaluru, glanced over a related article, and realised that he had been using the same third-party app that hackers exploited to breach those accounts.
"I revoked access for the app immediately. But I don't remember why and when I started using it," Sharma told International Business Times, India.
One of the main reasons behind the growing consensus of Twitter being the "most attacked social network" lies in the site's lack of intrinsic security measures.
But, there is also a strong argument that humans are the main point of failure for this particular social network. It's the end users who tend to have third-party apps automatically integrated within their accounts, creating an unruly environment that can be a nightmare for both users and businesses.
"Twitter shouldn't be considered 100% responsible of the hacking across accounts; however, the social network should consider adequate countermeasures in order to prevent misuses moving forward," Dario Forte, the CEO of DF Labs, an Italy-based cyber security company, told IBTimes.
Twitter does have a fairly hardened platform with internal security engineers constantly monitoring it for potential security breaches. What leads to highly vulnerable loopholes, according to experts, is the liberty third-party apps have in accessing users' accounts, reading contact lists and even sending tweets.
Here are the risks involved with granting access to third-party apps straight from the horse's mouth:
Depending on its permissions, an authorized application may be able to use your account in various ways, including reading your Tweets, seeing who you follow, updating your profile, posting Tweets on your behalf, accessing your Direct Messages, or seeing your email address.
Hackers look for lucrative tokens
When attackers manage to hack into a third-party app, which has become easier than ever as technology advances, they also gain access to a large database of usernames and unique app authentication tokens that are issued by these apps to better interact with Twitter.
These tokens are more susceptible to hacking attempts compared to passwords, because they don't require Two Factor Authentication (2FA) for immediate access to Twitter accounts.
"Third-party apps are authorized to access your account just like a user would; each app has levels of permissions," said Alex Heid, the chief research officer at SecurityScorecard, a New York-based security ratings company.
"The vulnerabilities usually come from poorly secure third-party applications, coded by developers that may not have a full grasp of information security concepts."
Twitter has provided app developers with information on secure coding practices. The social network, therefore, may have a valid point to argue that if a third-party app developer ignores the counsel, it's not the company's fault. And this is perfectly fine.
We identified an issue affecting a small number of users. Source was a 3rd party app and it has been resolved. No action needed by users.
— Twitter Support (@Support) March 15, 2017
In addition, a trusted relationship also exists between third-party apps and Twitter itself, which makes it more difficult for the social network to manage security for its platform.
But, the increasing vulnerability of Twitter accounts also boils down to the company not acknowledging that SMS for 2FA is not an ideal solution to ensure security.
"I recommend using long randomized passwords in a password manager with 2FA enabled. Also, don't attach third-party apps," George Avetisov, the CEO of HYPR, a New York City-based biometric security company, told IBTimes, stressing on the significance of biometric authentication to better secure accounts.
Avetisov recommended users to embrace decentralised biometrics that are encrypted and stored on the user's device itself as an end-to-end authentication solution.
According to him, using biometrics stored in a server is even worse than using passwords "due to the lack of revocability".
Strong passwords still matter
But then, even biometric protections can be bypassed if not implemented properly. Also, biometrics can be inherently public while a password can be essentially private if it's not disclosed to anyone.
Therefore, using long and randomised passwords containing capitalisation, punctuation and symbols will befuddle attackers trying to crack them.
However, it's the third-party apps that always act as the lowest hanging vector that provides hackers unauthorised access to user accounts.
There's no alternative to sporadically review all third-party apps that are intentionally or unintentionally authorised to access user accounts in mitigating security breaches. And if needed, why not just revoke access for any that are no longer utilised.
The trouble with users not becoming the watchdogs they are expected to be, is hackers can conveniently target any third-party app, which has far less security embedded in design than Twitter itself.
By not interfering too much with apps and the user experience related to them, Twitter may not want to risk the user adoption crucial for the platform's overall success. But it's important users follow their conscience before bestowing faith on something that isn't worth it.