As much as you have to applaud anyone for taking digital security seriously enough to attend a conference about it, you have to wonder how much they're taking in when they willingly give away their Twitter passwords. As part of a promotional move (and perhaps as a measure of attendee gullibility) the organisers of RSA 2016 have been asking for Twitter details and many people with tickets willingly handed it over.
It's one of the most obvious personal security measures to take in protecting your online identity: if a website asks for your password to something else, don't input it. But that's exactly what many people did when the organisers of this year's RSA conference asked for Twitter username/email details and passwords to help publicise the event (as per the Telegraph).
Just registered for RSA conference. Saw this after reg. Hoping this is not asking for actual Twitter creds. pic.twitter.com/kNJLm1j03z
— Micah (@WebBreacher) January 7, 2016
The potential security problem with such a system was highlighted by some prospective attendees, who started noticing the rash of identical tweets from their fellow ticket holders. The tweet would read: “I'm going to #RSAC 2016 in San Fran! Who wants to come with me?” followed by a link to the RSA conference site.
Just a sample of those that auto-tweeted the message over the past few days
As the security gaff has become more known over the past couple of days, more tweets with a similar phrasing have appeared, highlighting how people would not be attending, or hadn't been silly enough to input their password into a third party site. Some even posted Rick Roll links along with it.
Although the Twitter hijacking doesn't appear to be anything more nefarious thanks marketing, it is worrying that so many people who are interested in security and are perhaps being sent by their firms to learn more, willingly fall flat at a basic bit of personal security.
Discuss on our Facebook page, HERE.
KitGuru Says: There are admittedly some third party Twitter services which require your password for automation, but you wouldn't put your details into a site to let it market through you, would you?