The Problem with Twitter OAuth Connections

Twitter Oauth

If you’ve been using Twitter for any length of time then I’m sure you’ve come across the Deny/Allow screen you see above. Twitter OAuth is an authentication protocol that allows users to approve application to act on their behalf without sharing their password. The only problem is once you click Allow, the site using OAuth pretty much have total control of your Twitter account. They can make you tweet out messages to followers. They can even make you follow anyone without your permission.

Now, the majority of sites that use OAuth, like Sponsored Tweets, use it for legit reasons. However, it’s not hard to see the potential security problems this can create. For one thing, Twitter has no application process to use OAuth. Anyone can create a Twitter service with OAuth, including hackers and spammers. This is why Twitter has that note on the right which reads:

Please ensure that you trust this website with your information before proceeding!

The problem is most people won’t notice the warning and will just click the Allow button. Most Twitter users think that clicking Allow only allows the service to access your Twitter account once, like for entering a contest where the site will use OAuth to make you follow them and tweet out a message about the contest to your followers. That is not the case. When you click Allow, the service has access to your Twitter account until you break the connection!

Using OAuth To Get Someone Banned On Twitter

Last week, my Twitter account got suspended because Twitter received a bunch of complaints from users claiming I forced them to follow me. Of course, I never forced anyone to follow me and after an investigation and telling me to change my password, Twitter restored my account. However, I received two @replies today from users saying I am forcing them to follow me again.


My theory (and it’s only a theory) on how this is happening is someone is using OAuth to make Twitter users follow me to get my account banned.

How To Break The OAuth Connection

To see all the sites that you allowed to connect to your Twitter account, go to your Twitter home page, click “Setting”, then “Connections”. You’ll be presented with something like the following:

Twitter Connection

The page will list all the site that are allowed to connect to your Twitter account. Don’t be shock if you see a site that you don’t know. If you don’t know the site, break the connection right away by clicking the “Revoke Access” link.

For the Twitter users who sent me messages saying I’m forcing you to follow me, I ask that you go to your connections setting and revoke access to every connections you have. This will make sure no sites have access to your Twitter account. I also recommend you change your Twitter password. Hopefully, the answer to all this is someone abusing OAuth to try to get me banned. If the forced follow is not from OAuth, then Twitter has a major security flaw on its hands.


52 thoughts on “The Problem with Twitter OAuth Connections”

  1. d3so says:

    That sucks. I wonder who you pissed off John.

    1. Addy Kho says:

      may be out of jealousy? 🙂

    2. PPC Ian says:

      I must agree, this is crazy. I’m glad you got your account back and hope Twitter can find a solution soon.

    3. SEO Results says:

      I think any big name scalp is a serious trophy to any hacker. A lot of what they do is seriously about b oosting their own egos and sense of self worth and esteem.

    4. Welcome to planet Earth!

    5. Pissed off a lot of people obviously…with good reason. I’d be pissed if someone forced me to follow them..although that’s not actually what happened…

  2. Benjamin says:

    John, the reason this has happened to you is because recently you paid for followers and that service you used uses OAuth to force people to follow you.

    1. John Chow says:

      No, that’s not it. I double checked to make sure they were not sending me followers.

      1. So, you paid for the service and now they are not sending you followers??? SY

        1. SEO Results says:

          We’ve been through this one before, gentlemen…..

        2. That sounds ironic…and funny at the same time 🙂

  3. Thanks for the heads up, John. More people should know about this instead of blindly hitting that “Allow” button.

    I’ve suspected that giving authorization will give the site/application full access. This confirms it.

  4. Addy Kho says:

    John, Good tips and it is an alert to everyone here.

  5. This is really bad. I was trying to tweet you and it failed since you were banned John!
    Glad you’re back

    1. LOL…me too. Well, we can all @johnchow now because he’s up and running…can’t hold him down for long!!

  6. Glad you’re back John! I tried to tweet you earlier but got an error, yikes.

  7. max says:

    Hmmm. that’s too bad, perhaps keep your eyes open longer, screw the hackers. Besides, i dont think Twitter will ban u, u r too famous now. 🙂

  8. S Ahsan says:

    Twitter really doesnt care if you are a celeb or a big shot. I got my acct suspended couple of months ago for lame reasons. About the force following, i have seen that couple of times and this started quite sometime back. It was really annoying ‘cuz the guy kept getting back on my list while i removed him several times.. This bug is still an issue and i am hopë twitter takes a break from focusing on their ad platform and start fixing this bug asap.. PS: am glad you are back on twitterverse John, cheers!

    1. Yeah, it sounds like this is more of a bug rather than hackers forcing others to follow them. I.E. you remove someone and they keep showing up again and again. And, there was that bug a few weeks ago that made it super easy to force anyone to follow you.

      I agree: take a break from the ad platform and work on these bugs!

  9. Melvin says:

    that sucks.. what if the account was just a small account owned by a normal person? then twitter probably would immediately ban it with no questions asked..

    I didnt know that. Thanks for reminding us

    1. d3so says:

      Yeah, that’s probably true. Good thing Johns had a history of good standing with Twitter.

  10. d3so says:

    Whoever they are should send me some followers.

  11. Warren says:

    I’m glad you got your twitter acct back. I wrote to twiiter (not that it made a diiff) to say that I for one appreciate all the great info you willingly share with us freely. I’ve ordered a copy of your book (which still isn’t here by the way) because I believe in supporting someone who shares valuable information as you so willingly do. I’m not one of the “power” users on Twitter, but I do have over 13,000 followers and I feel Twitter is a better place with you in it.

    If it wasn’t for John Chow I for one, would not be online. It is because of his words of wisdom (both on his blog, and on Twitter) that I have left the offline world to be a part of the “online” world.

    Thank you John for everything you have shared with me, and all my readers. It is very much appreciated!

    Sincerely, Warren Wooden – PLR Internet Marketing.

  12. I just checked my setting / connections and found some services active that I know 100% I have de-activated / de-connected months ago! My guess is that one of the latest “Twitter Resets / Updates” or whatyoucallit, has activated them again without my agreement. I better make checking my connection settings a weekly task ;-( SY

  13. SEO Results says:

    It must be great to finally get to the bottom of the cause of all your twitter woes. Thank you for sharing this information so eloquently in this blog post. I am sure that twitter will sit up and take notice once this starts circulating in the blogosphere.

  14. I had this MLM Guru I must of unfollowed like 3 times all 3 of his accounts just when I thought the coast was clear that fools tweets would be back LOL 🙂
    Glad you got your account straight

  15. This is the reason why I don’t like any applications like that.

    1. Addy Kho says:

      pros and cons I guess.

  16. I recently joined Ad.ly too. But so far I don’t think they do anything with my account yet.

    1. What is the relation between ad.ly and the problem John described in his post? SY

  17. Rayutube says:

    Maybe related – I just checked who I follow and I noticed a couple of spam accounts there that I know I never followed.

  18. The forced follower enigma has been solved. This is a good thing. Hopefully twitter wakes up and closes this loophole in double quick time.

    1. There are many loopholes that twitter needs to solve…not just this one.

  19. I also hope this whole twitter issue gets resolved. This will make it a lot easier to deal with and allows you to know which followers are really into you.

  20. Dino Vedo says:

    Wow those people that complained to you that your forcing them to follow you really have no life.. seriously who the hell cares if they follow you and why are they actually keeping track of all their followers??

    They need to stop monitoring their twitter accounts and go enjoy life…

    1. Dino, some people follow only their family and friends or people that have the same interest as they. An internet marketer in a bunch of macro black and white flower photographers might stick out like a sore thumb. Apart of this, people just dislike to be forced to follow somebody, and that should be respected by everybody, including Twitter whose security measures seem to be really in need of improvement, SY

  21. Asish says:

    Informative post indeed which every twitter user shud read and know.

  22. Free Picks says:

    bad to know :p

    any ways thanks for tips

  23. “They can make you tweet out messages to followers. They can even make you follow anyone without your permission.” Now that’s a pretty scary thought.

    Can’t you just develop your own John? I’m sure you have the right connections…

  24. Lou says:

    Thanks for the post. It’s a bit scary what these applications can do to mess you up!

  25. Steve says:

    I have gone into Twitter and removed the privilege on services that I no longer use. Keeps me feeling better about the security of my account.

  26. Haven’t had any problems yet but if I do I’ll know how to fix it.

  27. Robert says:

    Hi John,

    Glad to see you get your Twitter account back online. Also appreciate the tips on how to break some of the OAuth connections. I’m sure many people are not aware of that.

  28. Wow, I hope twitter will do something about this…

  29. Glad to see I’m not the only one irritated with Twitter. What is the purpose of what they are doing recently?

  30. If someone is using OAuth to force people to follow you, then Twitter will have the web site this originated from in their web server logs.

    OAuth is still the best way to use web-based Twitter applications. Otherwise, your giving a third party web site your login information for Twitter and assuming that they won’t abuse this information and that they have taken the proper measures to make the data secure.

    How secure are the user accounts in your twitterfollower.com site?

  31. Noticed that I’ve been having problems with my twitter recently.

  32. Wow, that’s kind of scary, I’m just starting to use Twitter more and more these days… I think they have a few bugs they really need to work out these days, which is almost inevitable as a company grows as quickly as they do.

  33. Ary says:

    So that’s why I got suspended! Well not from this account. But in the last month I had another one and it got suspended with no reasons. I didn’t check the email to see if it’s restored by now… but it made me not stay to much on twitter. I worked so hard on that account. And in just some seconds it got suspended….

  34. Jon says:

    Hey John… great information… unfortunately the “revoke” link that I attempt to click on does nothing. The http: address that it says it links to (in the status bar) is the very page I am already connected to and sitting on. Seems like a broken link or an attempt to prevent you from ultimately really revoking the sharing of accounts. Any insight into this?

Comments are closed.