This year's New York Comic Con attendees who chose to connect to their Twitter account when validating their pass online found that the convention was tweeting NYCC promotional material on their behalf. While third-party authorization is grey-area practice gaining traction in the social media landscape, what was unusual was the entitlement acted out by the organizers, online security experts told Polygon.
Michael McKinnon, a security advisor at AVG tells Polygon that an authorization request from Twitter usually has a bulleted list of actions, including "Post Tweets for you." According to some users, this feature didn't come up when they unwittingly authorized access to their Twitter account when activating their RFID-enabled convention badges.
"However, despite that, what is a little unusual in this case is the automated and unapproved sending of Tweets," Michael McKinnon, a security advisor at AVG tells Polygon "Almost all other Twitter applications are either Twitter clients that allow users to post tweets, or share an event such as checking into a venue, for example — all actions that are triggered deliberately by the user. In this case the organisers are taking it upon themselves to send the Tweets when they feel like it; something that users are naturally disagreeable with."
More than 500 tweets, which included the NYCC hashtag and a link to the event's Facebook page were across attendees accounts exclaiming the phrases "So much pop culture to digest! Can't. handle. the. awesome. #NYCC," "I can't get enough #NYCC!" and "So much to see, so much to do! #NYCC 2013 I love you!"
"This is a grey-area practice that is being used more and more often lately by websites that require user authentication via social networking connectors," Bogdan Botezatu, senior e-threat analyst at Bitdefender said. "From a legal perspective, the application has been authorized by the users themselves to post on their behalf, so they should not be surprised when they do."
McKinnon went on to say that the real problem with third party applications isn't its immediate impact, it's in the future when users forget about authorizing the NYCC to Tweet on their behalf.
"What happens with authentication tokens that are sitting out there that could be used to send Tweets from many accounts?" he said. "Who will have access to that data in the future? And so it will be prudent for all attendees who registered to be mindful to review their Twitter application approvals and remove ones that are no longer needed — especially the ones that have write access to send Tweets."
From the security perspective, Botezatu was on the same page, warning against granting access to random applications which have a "damaging impact on the user."
"These applications can use the opportunity to plant malware or spyware, send phishing links or even inappropriate commercials to expand their reach with the network of the victim's friends," he explained. "We advise users to avoid connecting applications to their social network profiles as much as possible, or at least to deny permission to post on their behalf as the compromise or misuse of any of the paired applications could have a devastating impact on the user's private or professional life (i.e. connected applications that automatically share consumed content, especially links to pornography)."