Twitter should promptly deal with spam that abuses its app integration (login verification) functions

oauth
api

#1

I believe that thanks to Twitter providing its app integration and login verification functions, many services have been able to benefit from the Twitter API.

However, spam abusing this app integration function has recently been increasing dramatically.
This abuse is carried out by obtaining the permission to tweet when users carry out app integration, and then sending out spam tweets unintended by the user.

Because of this, more and more people in Japan have been advising others not to use web services that request app integration.
It is a great pity that spam is spreading the belief that services that use app integration are dangerous, causing even safe services to be seen as risky and usage of web integration as a whole to decrease.

The spammers start with tweets containing text and URLs pointing to sensational news or videos (by using trending keywords, they get themselves on the trend timelines).
Users who see these tweets open the URLs.
Opening the URLs takes them to an app integration screen (of course, one that requests authorisation to tweet). Users who want to view the aforementioned sensational news will end up simply authorising the integration.

This is how the spammers get hold of tweeting permissions for these users.
Afterwards, they use these users’ permissions to post similar tweets, getting tweeting permissions from followers, tricking people onto phishing websites and posting advertising links.

I am very interested to know to what extent Twitter grasps this issue and sees it as a problem.
Thanks to Twitter providing its API to developers, all types of services have been developed and created up to now.
But with this type of spam proliferating unchallenged, many users are saying goodbye to app integration altogether. This is a situation that can only harm the development of Twitter.

I believe measures such as requiring a phone number to log into the app have been implemented; however, as the organised spammers own more than enough phone numbers, this is not very effective.

I have a proposal that can be implemented straight away.

  1. At the moment, on the app registration screen at https://apps.twitter.com/, it is possible to register with any URL filled in under Application Details > Website. Because of this, spammers simply register with the URLs of well-known sites such as “google.com” or “twitter.com”. Instead of this, the owners of the URLs should be verified.

  2. Clearer explanations should be added to the app integration page.
    I believe there are three types of app integration.
    a. Read-only
    b. Reading and writing
    c. Reading and writing + direct messages

I believe spammers mostly choose b or c while carrying out app registration. However, the users who get caught up in spam are mostly beginners who authorise the integration without understanding the differences between a, b, and c above. Since option a will not lead to the spread of spam, I believe that it needs to be more clearly specified that a is safe while b and c include the risk of tweets without the user’s consent.

I would deeply appreciate Twitter taking the time to review the above.
Thank you in advance.


#2

Thanks for this feedback. We understand these issues and take them seriously, and we have dedicated teams that work on them. Spam on our platform is definitely not “unchallenged” and there are automated systems like our proprietary Botmaker antispam technology, manual reporting systems, and a great deal of attention is paid to user trust, safety and integrity. We encourage you to report apps that are abusing our developer policies and we have a support article on this topic.

We are not able to deal with feature requests here, but I hope that our upcoming new developer experience and dashboards that we announced last week can help to address some of these concerns.


#3