Twitter bots using Tweetie?
There is a kind of spambot that I call a Sleeper. It poses as a legitimate account by "stealing" arbitrary tweets from the public timeline and tweeting them as its own. As it follows people, a proportion will follow back. Eventually this account will have built a matureĀ following and can "wake up". i.e. it can start tweeting its cargo and even send DMs.
These bots are usually easy to spot because their tweets all show as being "From API", meaning that the update wasn't sent by a registered app using OAuth. If I was a spammer, I'd be wanting to fix that because it's a dead give away. I've also seen other services such as HelloTxt being used by these bots, but just now I spotted something new. – Tweets from Tweetie.
This example (@margy6727) was flagged in a TwitBlock scan due to aggressive following and being largely ignored. This search result shows the original tweet below, and the one above is the bot cloning the tweet and updating somehow via Tweetie.
Now how have they done this?
Have they reverse engineered one of the Tweetie apps and obtained the API key and secret to use in their own bots? Have they developed something that can automate Tweetie externally? (AppleScript was suggested by @pepijndevo). Do they have a sweatshop of chinese teenagers cut-and-pasting for 50 cents/hr? Perhaps there's some loophole on the Twitter end? Twitter aren't exactly buttoned up on the security front and they clearly don't check new app registrations very rigorously.
Suggestions welcome.
[ UPDATE ]
This Twitter FAQ is misleading. I am informed by Tweetie that Basic Auth apps registered "pre-OAuth" can indeed still pass the [now] discontinued source parameter to spoof the user-agent. I just tried it and all you have to do to make your tweet appear to have come from Tweetie is add "source=tweetie" to your API call. That's a real shame.
August 29th, 2009 at 8:54 pm
Spam bots have been forging UserAgent strings in HTTP requests for years. This is the most likely explanation, I think.
August 29th, 2009 at 9:52 pm
Easier than we thought. Any app can use Basic Auth and post as if from Tweetie, or any other app that was registered before Twitter introduced OAuth.
August 29th, 2009 at 11:40 pm
Twitter needs to revoke that and make everyone authenticate with OAuth for source parameters.
August 30th, 2009 at 6:22 am
Good that it’s cleared up now. I had looked into the source parameter for non-oauth apps, but after I read it was discontinued I forgot about it.
I’m curious if there is a way to tell if a tweet was made with oauth or api fake stuff…
September 5th, 2009 at 9:41 pm
Thanks for this post, I now see how this scammers have managed to get me to follow them all along. My policy now is that if you don’t have profile, I don’t follow you back. Even with that, I will make sure they’re not affiliate marketers look building their followers number.