Earlier today @foxnews tweeted the shock breaking news that Bill O’Reilly is gay. Shortly afterwards offensive and obscure messages were posted on 33 high profile accounts, including Facebook, Britney Spears, and President-in-waiting Obama. Twitter had been hacked.

This comes at the same time as a phishing scare in which thousands of people complained about receiving obscure direct message from people they know. Chris Brogan posted a warning asking all bloggers to change their passwords, which links to a post from Chris Pirillo that describe a number of rogue direct messages with links to a fake Twitter sign-in pages.

In reality, no communication channel is impervious to phishing attacks, as long as scammers are capable of sending messages, and some people can be fooled into following rogue links. Once a few accounts have been compromised, the “conversion rate” should be much higher since it’s possible to send direct messages that appear to have come from a trusted source. The same thing has been plaguing Facebook for about a year!

Given the timing, it would be easy to assume that both of these incidents are connected. However, according to the Twitter blog (thanks mashable) it appears that the high profile accounts were:

compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck.

So, what does this mean for Twitter? Most regular users probably wouldn’t cancel their account unless they had been directly compromised. By now most people should know better than to blindly follow random links from emails to login screen, however this is the first widespread phishing campaign conducted via direct messages on Twitter.

Would high profile individuals such as Obama trust, or will they continue to trust, Twitter with their voice after such incidents?

In this case, the hoax tweet appear to be light hearted:

What is your opinion on Barack Obama? Take the survey and possibly win $500 in free gas.

However a more malicious message timed to coincide with a specific event could be much more damaging, even if it quickly surfaces as a hoax? For example, what would it say about Obama’s grip on national security if change.gov had been replaced with some photoshopped propaganda shortly after November’s election? The new administration takes their online identity pretty seriously – it’s been reported in The Economist that Obama’s team are to endure a grueling online background checks in which all social network and aliases will be scoured for potentially damaging information.

Putting up with the odd fail whale and the inevitable phishing scams is one thing, and the community have on the whole accepted this; but there is a more significant loss of trust when accounts are being compromised out of the blue. This would not only be a huge problem for Twitter the company, but also a loss for the Twitter community. It would be a shame if high profile users, who add real value, chose not to use the service for these reasons.

Fortunately Twitter were very quick to pull the offending admin tool services, and should make damn sure it doesn’t happen again. But are there other undiscovered back doors waiting to be opened?

As a top priority Twitter should finally start using OAuth – a project which, according to their intro, was conceived by Blaine Cook whilst working on an OpenID implementation at Twitter in November 2006. OAuth would enable applications that consume the Twitter API services to authenticate a user without directly handling user passwords. This would put an end to users having to entrust their credentials to random services; for even if these services aren’t the work of an evil programmer, hiding out in some untraceable basement, there will usually be reason for suspicion and certainly some caution.

Last November the twitterank service was developed overnight as a personal hobby by a Yahoo developer, which quickly went viral extremely quickly, and caused a great deal of suspicion after a bogus claim that twitterank is being used to steal passwords. This wouldn’t happen with services that consume APIs from services such as Facebook and Flickr, because API authentication tokens are issued via their own secure sign-in pages. For example, the iPhoto Facebook Export plugin requires that you sign-in and approve the application, via a secure web interface managed by Facebook, before the application can gain access to your account data.

All this may also be another sign that 2009 is the perfect year for Twitter to be acquired by an organization such as Google, that already have the infrastructure to scale, as well as the security kudos to restore any lost confidence for the long term.

If you enjoyed this post then please say thanks by Digging, share using the button below and/or leave your comments. You may also follow @ahousley on Twitter, on the condition that my direct messages remain spam free!