The Story of #SocialFsckup

The OSM Awards chose to reward social media celebrities with voting from social media users. While an entertaining idea, the actual implementation appears to be a low budget marketing event conceived and managed by low skill and non-transparent 3rd party agency — Digiqom who were either technologically clueless or chose to lie when confronted with possible misuse of their user database for OSM Awards — In reality, the OSM Awards database was compromised and Twitter oauth2 tokens from the database were used to tweet messages and trend #SocialFsckup and #ArmChairMorons.


The Hack

An interesting feature or perhaps (mis)feature of the OSM Awards web app is that it require users to sign-in using their Twitter or Facebook account in order to vote for their favorite Social Media celebrity. A quick look at the web app reveals it is developed by low skilled or intern level developers with utter disregard for code quality, security & best practices. In no time, it was possible to access the database and entire code base. The code base was absolute junk however the database had something interesting — A table with email addresses of all users who signed-in to OSM Awards with Facebook AND Oauth2 access tokens for all users who signed-in with Twitter. The consumer key and secret was readily available from one of the config.php files:

<?php
 date_default_timezone_set(‘Asia/Kolkata’);
 define(‘CONSUMER_KEY’, ‘iEh2p7WmAbvrWXOLd5Yi1QSKB’);
 define(‘CONSUMER_SECRET’, ‘QR6YvuIdtgPlF9FzwnWDCpSg51cSFm8Y1UG09VgCu9wEOAvcfW’);
 define(‘OAUTH_CALLBACK’, ‘
http://www.osm-awards.com/user_login/process.php');
?>

At the time of database dump, there were 56k+ user accounts.

$> cat data1/osmdb4/users.csv | wc -l
56951

However, Twitter based sign-in count was little more than 9k only.

$ cat data1/osmdb4/users.csv |grep -i twitter | wc -l
9040

This was however enough to get a trend going in Twitter in no time. At this point, I decided the best way to make use of these tokens while not being too personal to anyone and at the same time exposing the risk of giving access to your account is Moderate Humor — Make fun of ideas or events without personal attacks. Another intention was to highlight what happens when you hire external marketing companies to build technology for you — You get hacked and your brand is compromised.

The Trend

I chose to trend #SocialFsckup and #ArmChairMorons as a reminder to certain section our digital society about their pathetic sense of self importance and how insignificant are their daily verbal diarrhea and arm chair activism.

This however by no way a personal attack to any person or those individuals whose accounts were used to Tweet and trend messages — Dude you just happen to be in the wrong place at the wrong time.

An expected outcome of this campaign was that those who can relate to the sarcasm and feel themselves to be the victim of it will self-expose themselves through outrage and threats.

Without further ado, here goes a sample:

See here if you want to go through all the accounts that participated in trending my message for FREE — Yep, I trend stuff for free, unlike the IT cell of political parties.

The Reaction

The very first outrage that I noticed comes from an anonymous coward (yep like me) — @barbarindian

This anonymous coward responded with direct threat to Outlook India and violent abuse to the person he assumed to be an Outlook India employee who tweeted through his account.

I wonder how such an insignificant anonymous coward has so much self importance and perception of empowerment that he goes on and unleashes direct threats of harm against Outlook India and their employees. I wonder is it because of blessings from Amit Malviya or Arvind Gupta?

Then comes the self-proclaimed techie and social media expert who clearly has no idea about Oauth or Access Tokens. In fact she goes to the extent of blaming Twitter India for compromising her privacy — Terrific .. and guess what? She has a strong sense of “morality” as you can see from her tweets. She is one of those home made idiots who think her association with a political party as a propaganda robot will give her any exposure to the cause and effects of the machinery in which she is just a nut or a bolt.

A lawyer needs special mention here who thinks Outlook India is hacking “his” account.

While it is foolish to expect technically challenged people like these to understand Oauth or delegated authentication, one cannot help but laugh when such people threatens to take legal action against an entity particularly since:

  • He appears to be a “lawyer”.
  • He neither understands the cause or motivation of the “crime” nor does he bother to dig through public information to gain an insight to the event in which his Twitter account was used to spread a message.
  • Yet, he threatens to take legal action against an entity without having any “case” against it or perhaps lawyers like these believe newspaper reports or Tweets are admissible evidence in court.

The Absurd Response From Digiqom

While it is expected that the employees of a marketing company will be clueless and comfortable in lying, this kind of goes to the next level. She claims to have resolved the issue with her team “did not sleep”, in reality they discovered the issue only during the afternoon and resolves it by generating a new pair of consumer key and secret for their app — Which DID NOT resolve any issue. Neither did they investigate the cause of the compromise nor did they bother removing access. I got the new consumer key and secret through my backdoor using which I can still post tweets to various accounts that has not revoked permission to the app already.

Some Artistic Praise

While totally unexpected, there were some artistic praise by an individual who saw it as a digital protest. Here are some of his analysis that kind of converge to my thought process at the time of this campaign.

Mainstream Media and The Art of Ignorance

DNA appeared to cover this the earliest in an article that only highlighted reaction from certain twitter users without bothering to read or investigate any detail of the event — No wonder SM leaves no stone unturned to criticize the MSM for its lack of professionalism or willingness to project accurate picture of any given event that they cover.

This was followed by a bunch of other digital news portal who happily reproduced DNA’s shoddy article without understanding or reproducing the actual set of events.

Nevertheless, MSM coverage was not something that I intended or hoped for. My sole purpose was to make fun of various Twitter trolls hiding behind creative title of “Strategy Consultants” and “Social Media Strategists”.

So Who are The Propagandists

Propaganda is an age old concept. It was, is and always will be one of the indispensable tool in the arsenal of kings and modern leaders to manage and control societies, no matter how large, small or diversified. The art of persuasion and perception management to as aggressive as brain washing “had” been an area of specialized discipline. There cannot be any empire or state without organized application of force, for defense or offense — AND such “organized” application of force is without any end if not sustained by well planned propaganda machinery. The marketing and branding industry, developed and matured over time has commoditized multiple such techniques. There are well defined techniques that can be applied by individuals with limited experience for large scale manipulation and perception management with one fundamental idea —

If you repeat a lie often enough, people will believe it, and you will even come to believe it yourself.

The biggest reach to the minds of common citizen of any nation had always been through print media and then audio-visual communication. More lately, it seem Social Media has emerged as one of the most effective tool for propaganda due to its massive reach particularly among a large section of the society. The effectiveness comes not only from SM’s reach but also its apparent non-attribution and lack of ownership. Here any random idiot can express their opinion or share content that may not be accurate or intentionally misleading. These idiotic herd play the role bots through which a propagandist can spread his message and influence the mass.

Finally here are some example of Twitter based propaganda industry at work. The unit is fairly large and operate in tandem with other similar units with a common master on top.