140Char

The trust that many people have in Twitter has been shaken recently by three major events – but there’s one idea that could solve some of the problems.

The events have been:

• A major Twitter phishing attack, which resulted in spam Direct Messages from comprimised accounts.
• High profile Twitter accounts being hacked – apparently by a fairly simple brute force dictionary attack on someone with access to Twitter support tools.
• Strange Display Errors – which turn out to be due to the combined forces of mass tweets from Macworld and CES.

Stopping anyone with admin access from using a password like ‘happiness’ should cure point number 2, and deadling with mass traffic is something that only Twitter itself can solve.

However, the loss of trust in applications is something that effects the whole Twitter ecosystem, as Mark Evans writes on Twitterati. And even implenting the much-requested OAuth as a technical solution doesn’t guarantee a rogue app can’t affect people. (via the MrTweet Blog)

So what’s the solution then?

It’s a simple idea – there are a lot of sites currently listing Twitter applications as soon as they become available to be the first to carry the news, and also to be a useful resource.

But what about an agreement between some of the Twitter bloggers and established app developers to implement a testing and approval procedure – a relatively simple process which could then list approved and tested applications, and allow them to display an badge of approval.

What gives bloggers the right?

The reason for pulling together reasonably prominent bloggers to implement approval is that we have something to lose if we’re not utterly honest – anyone can update the Twitter wiki with a link to a malicious application, but if 5 prominent Twitter bloggers did it, we’d all lose trust and social reputation, so it keeps us honest.

So what are the benefits?

• A list of Twitter applications which are being used and monitored to ensure they work as stated
• An independent approval system by people with a vested interest in keeping things honest
• More authoritative testing, and a larger quantity of apps being tested than each of us stating individually which apps we use – and a safeguard in case we’re tempted to recommend something without taking a proper look because we’re busy or going on holiday that week.
• And it means developers can display something to give them a trusted status without the need for a paid store (like the iPhone store), or worrying about being tarred with the same brush as malicious scammers?

So I’m throwing it open – good idea or bad? And are my fellow Twitter bloggers interested?

Want to spread the word? Copy, paste and tweet:

A quick and simple solution to sort the trusted and honest Twitter apps? http://bit.ly/vL48

Twitter has been hit by the first major effort to ‘phish‘ account details and spam users with links to a fake login page by Direct Messages from comprimised accounts.

The Twitter team has responded with a warning on the main web access page, and a warning on the Twitter blog. You can see the uproar it’s causing on Twitter via Twitter Search.

Currently the DMs are enticing people with:

• Here’s a funny blog about you
• Your picture is on this blog
• You’ve won a free iphone

Luckily the phishers are at least sticking to the grand tradition of email spamming by either trying to entice you with a blatantly ‘too good to be true’ offer, or something personal with the link to a fake Twitter log-in page displayed in full, so hopefully the word has spread to most people.

However, this is likely to be just the start. As Pete Cashmore pointed out at Mashable, this is a sign Twitter has reached a big enough size to be a viable target for scams – a positive sign for Twitter’s growth perhaps, but also a sign that the scammers and spammers are coming, with pretty big implications for Twitter users.

Shortened urls:

For starters, we were all lucky in some ways that the bloggers obviously aren’t familiar with Twitter culture, and were displaying the full url of the fake website, meaning that even if the DM came from someone we absolutely trusted, we had a warning before clicking.

But given that the character limit of Twitter means that shortened urls are the norm, it will make it almost impossible to detect whether a link is likely to be fake before at least visiting it – meaning an urgent need for preview functionality of shortened urls at the bare minimum.

Warning systems:

A lot of Twitter users picked up on the scam emails via friends, and stayed up to date with information via the #phishing hash tag etc – Twitter responded promptly with a warning on the website and blog. But what about the many, many people using a client to access Twitter and their Direct Messages? And those using mobiles to access the service?

Will everyone get a warning via each client and application? Unlikely at the moment, unless there is a type of ‘emergency signal’ which could be broadcast across all clients and apps.

Verified App Store:

Which brings me to the next possible implication – a few people have suggested that the fake log in page is in fact working as a Twitter application to utilise the stolen accounts and passwords.

It’s long been a matter of contention for users and app developers that any 3rd party application which requires a certain level of functionality has to ask for usernames and passwords – but now the 3rd party developers could be hit by a huge loss of trust from users.

So could this be an opportunity for a verified and approved Twitter application resource? Possibly monetised by charging a fee for consumers (unlikely), or for developers to have their application tested and approved (more likely)?

This could have implications for the speed and amount of Twitter applications and clients being produced, and also move such development away from bedroom coders depending on the fees for such services.

It certainly means that there could be a move for more users to utilise more than one Twitter account to allow them to test applications and clients etc without comprimising their main account.

So what other implications do you think the arrival of large scale phishing attacks could have on Twitter – and what suggestions do you have for other Tweeple – and Twitter itself, to try to minimise the damage of future attacks?