One Lesson From The Twitter Grader Screw-up: OAuth Rocks

Most days, I lead a pretty happy existence.  I write code.  I meet with folks at HubSpot.  I talk to fellow entrepreneurs and generally try to spread goodwill and love. Today, however, it sucks to be me. 

Earlier this afternoon, some malicious user was able to compromise the security of Twitter Grader (one of our most popular Grader.com applications).  The result was that this malicious user was able to post tweets impersonating Twitter Grader users that had authorized our application.  So, tweets went out from this malicious user, looking as if we had posted it using our user’s account information.  Unsurprisingly, this caused a bunch of confusion as people wondered why the hell HubSpot would be posting spammy tweets from our application and breach our user’s trust.  I spent much of the afternoon responding to people’s tweets, letting them know about the problem and that we were working on it.  Everybody’s been super-understanding and patient.

There are three things I want to highlight in this whole fiasco:

#1.  It was my fault.  I developed Twitter Grader — and I’m the one that developed this particular feature that ended up getting hacked.  I should have known better.  I was an idiot. 

#2.  HubSpot is being super-paranoid about how we deal with the issue.  We’re shutting down several of the grader.com applications (not just Twitter Grader) and will be reactivating them on completely new servers with increased security.  This level of caution is likely overkill (and expensive), but it's the least we can do.

#3.  OAuth is a very good thing.  For those of you that don’t know what OAuth is, it’s what allows users to grant access to specific applications without revealing their username/password.  Twitter supports OAuth.  As such, Twitter Grader allowed users to “authorize” access.  This is much better than asking users for their user name and password.  Because of OAuth, although the malicious user was able to post to people’s twitter accounts, they never had access to the user’s account credentials.  Given that many people use the same username/password on multiple websites, this could have been very dangerous.  But, OAuth ensured that the problem was much more contained.

I’ve been working with the Twitter team — who have been just awesome.  They detected the problem too, and helped shut down the application and contain the problem.  I’ve had multiple emails from folks on the Twitter team today as we figure out appropriate next steps.

The application and associated keys were disabled as soon as we discovered there was a problem and as it stands, no additional action is needed for users.  Your username and password were NOT compromised -- but it's never a bad idea to change your password periodically.  Like today.

We are working on a permanent resolution which will allow Twitter Grader to be available publicly again. Until this work is complete, neither Twitter Grader nor the Twitter Grader API will be available. We expect this work to take a couple days - for updates, see the @Grader Twitter page.

By design, the HubSpot software applications are on different servers and systems from our free Grader.com tools.  This attack did NOT affect the HubSpot software used by our 2,100 customers.  Again, there is no impact on our paid product or customers. 

My sincere apologies to all the users that were harmed by this security breach.  This one really bothered me because all of you work hard to build trust, reputation and community on Twitter.  These malicious tweets went out to your followers and compromised that trust.  I really hate that I was responsible for that. 

Thanks so much for your patience.  We’ll continue to work hard to deserve your trust and goodwill.

And, to whoever it was that hacked in and sent out those tweets:  That was not cool.