A legitimate Twitter webapp should be utilizing OpenAuth. It's amazing how quick people give up a username/password for something as trite as who is 'stalking' you.
Becky B
· 4 months ago
I went to the site, but then thought, "I don't really want to give this random site my information. Also, I don't really care who's stalking me on Twitter!" And I left. A few minutes later I learn it's a scam. :-)
Amy
· 4 months ago
Same here. There's some code in the source that I'm not sure about too, I don't want to poke around and give myself a virus figuring it out. It might be harmless, but not going to risk it.
Becky B
· 4 months ago
The source code you saw loads an image from http://e2.extreme-dm.com. Hmm. Curious indeed. Not sure what its purpose is, but it doesn't sound good, and you're probably wise not to risk too much poking!
BillDrew
· 4 months ago
I have been spreading the word about it.
Armin
· 4 months ago
I've seen a lot of websites that pretend to be a part of Twitter. I never put my twitter login details on any other site except twitter.com
Iva
· 4 months ago
Oh, not to mention that the developer of a legitimate Twitter webapp would know how to spell who's. They're such a #FAIL.
Becky B
· 4 months ago
Of course, you're led to believe it's your friends spelling the word incorrectly and legitimately recommending the site. That's what I thought.
Becky B
· 4 months ago
Never mind. From the site:
"Want to know whos stalking your profile, Well with this new application you can! You can view the last 200 people who came to visit your twitter profile. This is a cool new application on twitter hope you all enjoy. What are you waiting for! Log in above and see whos stalking you!"
That grammar just screams, "We will phish you hard."
Iva
· 4 months ago
No no, the first comment makes sense, too. I never thought about people misspelling things on purpose to make it more "natural". :O
But in this case, yeah, I doubt it's true. They got it wrong twice, there are no commas, Twitter isn't capitalised. It's pretty pressive that they didn't write what "your" waiting for or something equally bad.
Josh Highland
· 4 months ago
Twitter should simply ban their domains from accessing the twitter API, and also filter out all links to their site that get posted.
Miguel
· 4 months ago
These sites could act as if they were authenticating since they are fake anyways, filtering links would be good but you gotta remember all the url shorteners.
What twitter should do is only let big sites like twitpic use Basic Auth and make all new sites use OAuth but also push these sites to switch to OAuth.
mashable
· 4 months ago
Yup, there's technically no way for a 3rd party to track who is viewing a Twitter page - you'd either need to insert code into the page (not possible since mikeyy attack revealed the only known hole), or have all users download software and agree to be tracked (eg a toolbar that sends info to a server).
Iva
· 4 months ago
Is there any possible way to explain that to a stubborn person who doesn't even know that there are such things as static and dynamic websites, Twitter clients and custom apps?
Simes
· 4 months ago
You could try explaining that it's the internet equivalent of handing your house keys or bank account details to some random guy in the street just because he asked for them.
Becky B
· 4 months ago
Or explain how by giving your house keys to him, he won't automatically know every single person that drives by your house!
Iva
· 4 months ago
Makes sense. My site's users are incredibly thick sometimes, but yeah, I believe that'll work.
dacort
· 4 months ago
This is the same type of stuff that used to (and maybe still does) pop up on MySpace. Will people never learn?
AndyBeard
· 4 months ago
Technically it is possible to determine if a person has visited a profile on Twitter, though it would be time consuming.
jenmathis
· 4 months ago
Nearly fell for it myself, but the request for my Twitter password put me off. I have been trying to spread the word when I see others RT'ing Twitviewer, and now I'll link to this article for backup. :)
Leon Taveras
· 4 months ago
Google Chrome says:
Warning: Suspected phishing site! The website at twitviewer.net has been reported as a “phishing” site. Phishing sites trick users into disclosing personal or financial information, often by pretending to represent trusted institutions, such as banks.
Miguel
· 4 months ago
good thing we use chrome, internet explorer in fact, encourages you to sign in (jk).
frumpa
· 4 months ago
I visited the site after seeing the first tweet about it early this morning and it looked untrustworthy. Then I went back a couple hours later and they added the "disclaimer" about the auto-tweet which was not there at first. I checked Safari's snapshot cache but it didn't have a snapshot of the original page any more. The Google cached version shows it originally asked for your Twitter ID number. A whois on the domain shows that it was created today. Unfortunately, too many people will see the auto-tweet and think it was sent intentionally and fall for it.
BoltClock
· 4 months ago
TwitViewer.net now says, "Don't know why all this happened but were shutting down... may be back up on another domain." complete with grammatical we-don't-give-a-crap-what-about.
BoltClock
· 4 months ago
Crap, why was that autolinked?
Buster_Sports
· 4 months ago
We no liek this...(Intentionally spelled wrong)!
chris o.
· 4 months ago
I want to work on the Mashable detective team. You should have a hot line for anonymous tipsters, I run into this stuff everyday.
Immediately change your password if you think you've been tricked.
Brian French
· 4 months ago
twitviewer dot net seems to have taken itself offline 10 minutes ago: "Don't know why all this happened but were shutting down... may be back up on another domain."
Elvis Dallas
· 4 months ago
i changed my password before i tried it and again directly after it. The 200 pictures shown weren't anyone on my list and it's clearly a scam.
This reaffirms the need never to use the same password on twitter as anything else :-)
deanholmes
· 4 months ago
Thanks for the update on this-more to come...on this subject.
Would somebody please tell people top stop using these shady "get tons of followers now" sites? Like this bestfollow . com one - it's changed names and domains at least half a dozen times, but people are still more than happy to put in their creds, as seen on Twitter search:
Am I jerk for saying "they deserved it"? If you can't figure out the simple rules of the Internet, perhaps you shouldn't be allowed to touch your computer. As someone else said, it's akin to handing over your ATM card to someone who asked. "Want to know where your money is going? Here, let me help!"
The ignorance (read: stupidity) of humanity is disheartening to say the least.
Glenn Batuyong
· 4 months ago
I actually fell for this but I originally saw this as a retweet from Amber Macarthur (@ambermac) from Command-N, which is a big tech podcast. I figured she was an authoritative source so I gave it a shot and unfortunately dismissed my initial nervousness when presented with a username/password dialog. I changed my password twice and a few hours later... I'm locked out of my account. Long story short (1) Don't fall for webapps that ask for username/pw, (2) Just because a tech god/goddess pushes a link doesn't mean they know where it leads...
Amber Mac
· 4 months ago
Hi Glenn,
Apologies about my tweet. I saw TwitViewer mentioned by one of my trusted followers, who is a well-respect digital lawyer, but turned out he withdrew his message as quickly as I did once we knew it was a phishing scam. In short, just goes to show you that we need to do a little more research before we recommend something.
Hope you keep watching commandN! -Amber Mac
Glenn Batuyong
· 4 months ago
It's quite okay, Amber... no harm done... everything worked out for the best. I know the sinking feeling when something not-quite-right slips to hundreds of people hehe ...In any case, commandN is still my first-favorite podcast and a benchmark that I always use as the standard when describing the power of social media and great content. (BTW, my Twitter account is back!)
Mike Serven
· 4 months ago
If you were a victim of this phish I would also recommend changing the passwords on other sites that use that same password.
Rob_S
· 4 months ago
Other than the missing punctuation, looks like the "want to know who's stalking you?" is spelled OK to me. What am I missing?
Becky B
· 4 months ago
It's the punctuation. A professional company would never let that happen.
Hugh Briss
· 4 months ago
I feel sorry for the people that own TwitViewer.com since most tweets are simply saying Twitviewer. Twitviewer.com has nothing to do with showing you who's following you. You should have made it much clearer who you were talking about. Even the title is confusing since most people automatically assume you mean .com.
IdoNotes
· 4 months ago
I was updating a posting on some background of the site when you posted. TheSocialNetworker blog http://bit.ly/gG9bD
Jimmy Blocksom
· 4 months ago
I'm always scared to enter my Twitter log-in info on 3rd party sites.
simon_hamer
· 4 months ago
Thanks as always.
labgrab
· 4 months ago
I agree this looks like a spam scam. People need to up the threat color on Twitter 3rd party apps.
Anton Mosyagin
· 4 months ago
I, the sinner, was too curious to check it out - but happily was named a moron by a twitpal and decided to change the password for Twitter just after 10 minutes upon giving it to TwitViewer. But even before I did it, my TwitterFox was denied access to Twitter and I understood that something bad was going. So I changed pw on verified e-mail, then quickly restored the tw-pw to it. And voila, my Twitter is mine again, no spam had spoiled it, no information gone. It's a good lesson for me I think. And for all who like to test new apps for Twitter or anything else.
Nonya Bidness
· 4 months ago
Actually technically the message isn't spelled wrong, you're just another online spell checker with a blog and megalomania. Technically the spelling is correct, the problem is the grammar, and having just had a flick through your blog, it's a clear case of the pot calling the kettle black.
Sincerely, The grammar police
jadE
· 4 months ago
No Mashable, TwitViewer *IS* a phishing scam. You're skating around the issue. Saying it might sorta kinda possibly maybe be not so nice is in direct contrast to what the article states. Best you tell people straight up that it's not safe and a big fat scam.
All Comments
"Want to know whos stalking your profile, Well with this new application you can! You can view the last 200 people who came to visit your twitter profile. This is a cool new application on twitter hope you all enjoy. What are you waiting for! Log in above and see whos stalking you!"
That grammar just screams, "We will phish you hard."
But in this case, yeah, I doubt it's true. They got it wrong twice, there are no commas, Twitter isn't capitalised. It's pretty pressive that they didn't write what "your" waiting for or something equally bad.
What twitter should do is only let big sites like twitpic use Basic Auth and make all new sites use OAuth but also push these sites to switch to OAuth.
Immediately change your password if you think you've been tricked.
This reaffirms the need never to use the same password on twitter as anything else :-)
Dean Holmes
http://deanholmes.me
I thought about that as I put my in my password.
Password changed ... now.
Simon
http://search.twitter.com/search?q="TONS+of+fol...
The ignorance (read: stupidity) of humanity is disheartening to say the least.
Apologies about my tweet. I saw TwitViewer mentioned by one of my trusted followers, who is a well-respect digital lawyer, but turned out he withdrew his message as quickly as I did once we knew it was a phishing scam. In short, just goes to show you that we need to do a little more research before we recommend something.
Hope you keep watching commandN!
-Amber Mac
Sincerely,
The grammar police