A new rogue app is spreading on Twitter that purports to tell you how much time you have spent using the microblogging site, but instead tricks you into spreading the scam and appears to harvest e-mail addresses from victims, Sophos said today.
A typical message says: "WOW --> I have spent 38.1 hours on Twitter! See how much you have: [LINK]," according to a Sophos blog post on the scam.
"If you are curious enough to click on the link, which--of course--you might do, seeing as it will appear as if one of your Twitter friends has posted it, then you will be asked to authorise a third party app's request to access your Twitter account," Sophos' Graham Cluley writes. "The app is called TimeSpentHere, and it can only cause a problem for you if you grant it permission to access your Twitter account. If you do, then it will be able to read your Tweets, post in your name, and even change your profile."
Once the app is accepted by a user it will surreptitiously re-post the message and offers up a random number representing the time the user supposedly has spent on Twitter, according to Sophos. It also asks users to enter their e-mail address "as a security precaution." The e-mail addresses could be used later in a phishing or malware attack.
"If you were unfortunate enough to grant a rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Applications (it used to be called Settings/Connections but it seems that Twitter has changed it) and revoking the offending app's rights," Cluley suggests.
Updated 10:05 a.m. PT Cluley tweeted that Twitter informed him that the "rogue app is dead."