This afternoon I started getting a bunch of tweets reading “my Twitterank is__!” (Mine is 69.17, it turns out, a number which is basically meaningless, so far.) I’m actually somewhat slow to adapt to new social networking errata, so I ignored it.
Then I started getting a bunch of BEWARE TWITTERANK AAAAHHHH tweets. As someone in the field of journalism, I really only perk up when something goes horribly wrong on a wide scale, so that got my attention. Because this is the Internet, it didn’t take too long to put together the story.
In short, a page went up last night (so it seems) promising to rank your Twitter account. People love ranking things, as you will notice if you use Facebook or pick up a newspaper. So lots of people signed in through Twitterank and started ranking themselves, which automatically generated the “my Twitterrank is __” tweets (eg). To do so, you had to enter your Twitter name and password.
That’s where, to borrow a phrase, shit blew up like the Godfather.
This guy tweeted the following: “Twitterank is a vast conspiracy I created to steal all of ur passwords + shame Twitter into OAuthing. + make u look vain.” That was tweeted at about 3pm CDT. He was kidding.
Another guy, who has a huge Twitter following (5,500+), retwittered that tweet. That retwittering was picked up by a ZDNet blogger, Oliver Marks, who gave it the imprimatur of journalism. Someone then took a screencap of the source code and tweeted that, further fanning the flames.
One thing I’ve learned when reading about tech stuff–it’s actually safe, generally speaking, to read the comments on techy sites, even fairly mainstream ones like ZDNet, because the commenters are self-selecting enough that a lot of times they talk sense, and you can learn things. Anyway, at one of these sites–I’m now so deep in links I can’t find which one–a commenter noted that he knew the guy who created it, he worked for Yahoo, and to chill.
Then at Mashable, a guy named Ryo Chijiiwa claimed responsibility (see comment at 7:40). And, sure enough, if you click on the Twitterank FAQ, you find that the URL is iloha.net. If you go to iloha.net, you get a page with a link to ryo.iloha.net, homepage of Ryo Chijiiwa, recently-ex-Yahoo programmer who just moved to Google. It turns out we were at the University of Chicago at the same time, though we didn’t cross paths.
Anyway, among the many things you can find on his Web site, including his resume, programming vita, PHP-based Web mail program, feed reader, an essay on “Complex Systems as Networks,” there’s a link to his Twitter feed, on which you can watch Twitterank be born, debut, spread fast, and then hit the fan. All in the time it took me to get some sleep, go to work, and sit in meetings.
So what does this mean for you, Twitterer? You have to ask yourself: do I trust Ryo Chijiiwa? My Twitterank at the top is a vote of confidence, but one I made only after putting together this whole probably-not-actually-sordid tale. (Always think twice before giving out your password anywhere to anything, but Twitter contains so little personal info it’s hard to imagine what anyone would do with access to your account.)
There are important lessons about social engineering, OAuths, and more in the Web 2.0 era, but I will probably have to wait ’til tomorrow after going back to do my real job for awhile, at which point I also hope to chat with Mr. Chijiwa, though I would understand if he wanted to just hide under the covers tomorrow.
Anyhow, things about pig slaughtering to post for the Reader, etc. It is an exciting life, here at my desk.
Update: Brian Ambrozy was following the same paths, and says it better than me:
So let’s summarize, in true Twitter fashion. I’ll tweet the whole story:
- Hay guys, Twitterank gives u a twit score. Mine is 110.23! Check it!
- Looks like @brianoberkirch made a funneh. oops
- Now Oliver Marks sez @brianoberkirch hacked twitter omgz
- A MILLIONTY PEOPLE READ OLIVER MARKS AND RETWEETED IT
- Everybody skurred nao
Update II: Out of curiosity, it occured to me to try, just for kicks, a second way of investigating the shadowy source behind Twitterank. So I ran a simple WHOIS lookup: twitterank.com. Lo and behold, it is the owner’s real name (which is also easily found by following the FAQ URL to its source and clicking around, as I mentioned before).
As for me personally I tend not to sweat Web security too much, perhaps even less than I should. Honestly, I’m much more worried about someone swiping an unsolicited credit card offer from the mail and running up a bunch of debt in my name.
Anyway, this is not what you should be paranoid about. Right now someone at the NSA is reading your tweets and giggling.