Whatpulse is hijacking Twitter accounts?


So I set up a team on my website, all is going great and we’re rising in the ranks, however yesterday a user posted about how he signed up here and for some reason he’s now following @whatpulse on Twitter, but at not point did he opt to follow, this raises the question: are you forcefully hijacking twitter sessions/passwords to gain followers?

This didn’t happen to me and I doubt it iss happening (I suspect a user error) but it seems mighty strange for this to be a user error so I’d be interested in hearing any theories on how this happened. I suspect it has something to do with the Twitter stats feature.

Any ideas why someone who downloaded whatpulse would suddenly be following whatpulse on twitter if they didn’t opt to through the twitter website and hasn’t signed up with the whatpulse twitter thingy?

Posts from the user are available here on my forum: http://www.minecraftforum.net/viewtopic.php?p=651185#p651185 the user minix.

Note: I have in no way done work on the WhatPulse site’s Twitter function, and a lot of this is based off of assumptions, and from me being a Twitter whore.

The Twitter function uses what is known as O:Auth. It stores a token, and not passwords. This is used as a secure authentication method. Considering the WhatPulse Twitter is running as an “app” of sorts. (Or, at least it appears to be.) Now, considering the WhatPulse Twitter feature is a “client.” They can have it set to auto follow their WhatPulse account.

So, since Twitter uses O:Auth, it’s all secure. And you’re not being “hijacked”, considering it can be programmed in. As for an issue of an auto-follow. I don’t see why it would matter. I’d assume someone using the Twitter function on WhatPulse would want to follow and stay updated as well. I also think your friend is just being overly paranoid, and needs to learn to relax. On a final note, the link you posted doesn’t even work.

I know how twitter and oauth work, the issue is he did not authenticate but for some reason his account s authenticated, implying that either he’s a moron who forgot he did it, or whatpulse is using its system access to “force” authentication.

regarding the link, it’s my forum and we’re under heavy load and it’ll be back soon, the link basically reiterated what I’d said here though so it’s no problem.

Oh my sweet Jesus. This just became my favourite post of the week. Not only do we count your keys, we hijack your twitters! Okay, anyway, to a serious reply:

The WhatPulse twitter feature operates via our website. You can opt in and opt out of it, and it will authorize you via tokens. All he’d have to do is visit our twitter page and click the link OR have a page preloader, which would follow the link itself. I’m not sure how exactly o:auth works, but it’s completely possible that if you’re logged in and you follow the link, it can automatically complete the authorization. Once more, I don’t use twitter, so I cannot comment on that.

As for us having his username and password, that is not possible. I can verify from an admin side of things that we don’t store much of anything. We don’t even keep pulse history for a long time. No twitter information can be retrieved at all. Therefore, this leads to several things:

-Your user clicked the link, forgot, and thus is now like ‘what the hell?’
-Your user has a friend or family member who did it
-Your user has a background link optimizer which preloaded the o:auth page and he clicked yes (or it went through automatically)
-Twitter is now sponsoring WhatPulse with free followings.

I’m assuming it’s not the last, so…

In short, I’m not quite certain but I can confirm it was not a WhatPulse side thing. Our Twitter interface completely uses the appropriate mediums as provided by Twitter.


Carbon/Cent pretty much summed it up.

It’s pretty much impossible to hijack twitter accounts, especially since twitter only supports oath nowadays. As far as I know, allowing the twitter app to be used on your account also does not auto follow @whatpulse…so…

About the staff page: The linux developers username is there, he just didn’t want a direct link to his page because of the private message button on the profile page. :wink:

I have to be nice to my users (like you are to yours :)) so I was assuming he wasn’t lying even if I assumed it 99.999% ridiculous – I mean really, if you’re stealing things why would you steal twitter accounts? Sense it make not.

Thanks for replying to him though, I’d be interested to find out what on earth happened with it, although after reading his reply to you he has an air of arrogance about him: “…nobody with a brain would trust your service…”. I guess he doesn’t respect the administrator of the forum he uses, because I’ve been here since 2006 :slight_smile:

Welcome to the people that we are forced to deal with every day. No respect is ever granted to those that have been around for a while and know their way of doing things. And feel free to tell him that I love to have conversations with people that believe that ‘nobody with a brain would trust our service.’