I created an Application and generated an access token. Then I used the access token from an application written in PHP to post some tweets from the application. I did all this with another twitter account, not this one I am writing from now.
Call it a coincidence, but just a few hours after I had posted a couple of tweets from the application, the account got hacked, and it started sending spam with phishing links via direct messages to followers (the “I can’t stop laughing at this pic of you” spam).
I hadn’t received any such message and hadn’t clicked on any such phishing link (nor did the owner of the account). The only “uncommon” think I had done just before the spam started was creating the app and having it tweet on this account.
It is a pretty strange coincidence that this happened right after creating an app and twitting from it. I strictly followed the API tutorials and didn’t do anything that is not recommended in the developer guides. Of course I didn’t give away the access token and consumer keys and consumer secrets to anybody nor did I place them in any client side code. The keys are only in the php code which is not visible from anywhere.
So the question is, has anybody else experienced the same? Is Twitter’s implementation of OAuth broken and insecure? If I didn’t give away the password nor the access token and didn’t fall into the phishing trap, then it is clearly a security hole on Twitter’s side, isn’t it? Is this a known issue? Are they doing anything to fix it?