Dozens of attendees at the RSA security conference entered plain-text Twitter passwords stored on the event’s website
If any website asks for your Twitter, Facebook or email password, you probably shouldn’t give it out, as even a casual internet user should know.
But dozens of attendees to this year’s RSA Conference – an annual security jamboree for researchers and IT workers – did just that, entering their plain-text Twitter usernames and passwords into entry fields and giving them up to the RSA website.
Although the website wanted the details simply so it could send a pre-written tweet about the conference, it means that the passwords have possibly been stored on the website itself, a major oversight.
Many websites or apps ask their users to share pages via a Twitter button, which reaches the social network through a secure connection and does not ask directly for login details – there’s one at the top of this page for example,
But it appears that dozens of willing cyber-security workers were willing to give up their details, judging from the number of identikit tweets that appeared promoting the conference. Dozens of people tweeted: “I’m going to #RSAC 2016 in San Fran! Who wants to come with me?” with a link to the sign-up page.
The RSA website presumably ran a script to log in to Twitter accounts and post the tweet itself, having received the details. Although it is very unlikely that it would do anything untoward with the credentials, the website asking for and potentially storing the details is an obvious red flag.
Many phishing scams ask users to enter their bank or email details into a fake website, for example, so that they can be later accessed by criminals.
Attendees who had realised the mistake were quick to point it out.