YouTube logoYesterday I received a message in my YouTube account Inbox claiming that my account was flagged. On initial skimming of the email I was shocked, but then looking at the message closer I quickly recognize it as another Phishing email. The email states

The Youtube Team YouTube Broadcast Yourself™ Hi (account), According to our records, you have been flagged for the following: Hate Speech/Bullying Spam/Flooding of other YouTube channels Massive Advertising Explicit Copyright Infringement Your ac... The Youtube Team YouTube Broadcast Yourself™

Hi (account),

According to our records, you have been flagged for the following:

Hate Speech/Bullying Spam/Flooding of other YouTube channels Massive Advertising Explicit Copyright Infringement

Your account also appears to be phished and/or flagged by other users with the following IP addresses:

72.55.191.6:3128 80.227.1.100:8080 119.70.40.101:8080 216.194.70.3:8118 61.166.68.69:80 194.44.170.81:3128

We have reviewed your account and notice that your account seems to be in good standing. Therefore, we will not penalize you for any actions. However, we have reviewed the reports made to your account, and notice that your account has been flagged and/or reported multiple times. We ask for your current password in order to ensure that you are the owner of this account and to verify your current account status. Please provide us with the information below...

On initial thought, I was wondering about the scammers' goal for taking over a YouTube account. Then I remember that many YouTube accounts are now linked to user's Google Account, which provides access to GMail among others.

So, everyone needs to be diligent and be careful when receiving instructions via email or through proprietary messaging system, asking you to provide username and password or means of authenticating your identity. In most cases, legitimate web sites will never ask for a user's password. Remember bad guys are everywhere, especially on the Interweb.

Posted
AuthorVinko
CategoriesGoogle

Twitter LogoTwitter has been around now for over 3 years and along the way there had been many 3rd party applications and web services. At the beginning years these 3rd party applications and web services had required the Twitter users to provide their Twitter credentials to use the service. This requirement of providing a 3rd party with my credentials of another service had never sit well with me. So I did not use any 3rd party web services that requires my Twitter credentials. This decision was frustrating to me, as during this time Facebook, FriendFeed and others had authentication services that does not require their users to provide their respective credentials to the 3rd parties. As a result I joined the 100s of others who requested Twitter adopt OAuth or alike technology for their site.

Finally beginning of 2009 we started to see signs of Twitter OAuth. This was promising, but now there are 1000s of 3rd party services who had yet to adopt the new authentication method. I then join the campaign to encourage as many of these 3rd party developers to incorporate Twitter OAuth as their authentication method instead of requiring the user's Twitter credentials. Unfortunately, several months after the appearance of Twitter OAuth, we see a vulnerability in the implementation of OAuth, which slowed down this 3rd party adoption. With the cooperation of the member companies of the OAuth organization this vulnerability was quickly identified and resolved.

In the mean time we keep hearing stories of Twitter accounts being compromised, initially it was thought that these incidents came from within Twitter. Since Twitter had an incident where the Administrator password was hacked by a teenager using brute force method. But now stories like the most recent one, 1000s of Twitter Accounts Compromised in Latest Spam Attack, is becoming more and more frequent.

As always the most vulnerable security is through a third party. So try to refrain yourself from trying that latest Twitter service, if it does not use Twitter OAuth. Definitely don't use your Twitter credentials as the login for the 3rd party service.

If you suspect your account may be compromised, change your password immediately.

Posted
AuthorVinko
Categoriesadvice