Home > CyberCrime, KeyCAPTCHA, Question, Scam, Spam, Twitter, Vulnerability > To Spam or Not To Spam: That is Not The Choice Anymore?

To Spam or Not To Spam: That is Not The Choice Anymore?

This is something new that I did not discover immediately because Twitter is very lousy in presenting me my own tweets and the owner of twitter account is not notified about its own tweets.

Every 10-12 hours, for quite a time now, I supposedly tweet from my twitter account spam-tweets with the same content:

“Are you serious about weight loss? Read this article ASAP! <a varying URL link to a site with the same content>”

I left two tweets as a sample:

I removed access to all applications but these spam-tweets reappear, mostly at my night-hours, so I remove them in 6-8 hours after their staying in my feed  under my twitter account-name!

I can login to web resources (sites, blogs, social networks, etc.) sites through a SSO (single-sign-on or single-sign-through) using Twitter, Disqus, OpenID, etc. accounts without re-typing my username and password, even after explicitly removing my access. I simply press confirm-access buttons and my cached in browser credentials are being used.

Why cannot the earlier given access be cached by the sites and  re-used by hackers after I removed my access from target applications. And what about if I am presented the wrong descriptions during signing in?
And what choice I do have anyway?

There are simply no tracking of resources (sites) to which I ever signed in with Twitter.
I login with my SSO to comment, to post, etc. and then I even do not remember all such sites.
Even if I did, they mostly do not let to drop my accounts anyway

Is it a wrong question?

Tell me how to track and/or to stop spam-tweeting from my twitter account if I removed access to it to any application!

Related article:
Woah! Read Those Twitter Authorizations Carefully


Spam tweets stopped

Before appearance of spam tweets I created only one derivative (through my twitter account login) account on a web site having built-in based on IPB (IP.Board) WCMS  functionality of tweeting from it and republishing tweets from twitter account to that website.


And my account was banned soon after I tried to ask site’s administration team about possibility of spam tweets through my account on that web site.


I shall not indicate the URL of the site since this topic is interesting from conceptual point of view but not for tracing concrete technical or ethical breaches.



  1. September 30, 2011 at 14:46

    Did you try changing your password in case that is how they are getting access?

    • September 30, 2011 at 15:58

      I’ve got spam tweets in a week after creating this new twitter account and spam continued after I changed twitter’s username and passwords few times.

      Now, the main problem I do not understand how changing password can change anything at all and what choices the owner of accounts have for controlling access to them

      For example, after changing my twitter account username and password, I can login into derivative accounts of marshable.com, stumbleUpon.com, ipbSkins.ru where I created account by loggin in through twitter account.

      Many such sites have functionality of posting tweets from this derivative accounts or republishing or relaying other publications, for example, to/under my twitter account and vice versa. And from twitter account to other accounts (Facebook, etc.)

      Here are a few problems:

      • I can create a derivative account on a site intentionally setup by criminals
      • access to such derivative or original account can be hijacked
      • such accounts can technically misbehave due to bugs
      • the policy (ToS) can be changed without even informing me so that my accounts will be permitted to relay the publications of others or whatever I hate to think about loudly

      Now, even if to block, delete original twitter account from which I created derivative accounts on various sites (BTW, there is even no easy way to establish on which ones) or change password,
      it does not change given earlier access to publishing and relaying other posts from them under my twitter account
      Twitter’s password was not used for creating derivative accounts as well as its change does not change anything in order to discontinue their access to my twitter account or vice versa.

      For example, I recently commented on stumbleUpon.com, using my marshable.com’s user account, which was created through my twitter account, well, a month ago and after that I changed my twitter’s account password and username many times!
      These changes had no impact on validity of outdated data (username, for example). Suppose somebody compromised

      The same story with any single-sign-on accounts, like Google OpenID accounts

      This is scary
      Because essentially the owner of accounts have no control over his own account, which can misused, abused intentionally or due to technical bugs, hihjacked by perpetrators, etc.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s