TweetDeck paranoia

Obligatory hax0r stock photo
Dear Lazyweb, is TweetDeck spying on my web browser?

I use TweetDeck because it's the only workable way to manage multiple Twitter accounts.

Recently it has been crashing a lot. It crashes at pretty random times, but only occasionally when Tweetdeck is the front app. It doesn't usually crash when I'm scrolling down the list. Usually it crashes when some other app is selected, like when I've clicked a link and it opens in Safari.

But now I've noticed that it most often crashes when I'm in Safari, haven't used Tweetdeck at all recently, and I open or close a Safari window... Right then is when Tweetdeck crashes. Exactly then.

So now I suspect that Tweetdeck is using AppleScript to monitor all the URLs I load in Safari, and presumably is phoning home with them.

Anyone know how to prove, monitor or prevent this? I don't know how you'd log or MITM AppleScript IPC.

This behavior would not be unprecedented for such an ethical and trustworthy company as Twitter: remember when they got busted phoning home with all of the applications installed on your iPhone to "better improve your advertising experience"? Yeah, they'd totally do this.

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , , , ,

21 Responses:

  1. Chris R. Donnelly says:

    Fiddler should work, assuming they’re using HTTP or HTTPS.

    Additionally, I remember there used to be a paid alternative on macOS called Charles, which is probably still available if you find using a .NET/Mono app to be against your beliefs.

  2. Nicholas Riley says:

    AEDebugReceives=1 /Applications/Safari.app/Contents/MacOS/Safari should do it. I don't use TweetDeck, but that should prove or disprove your supposition.

    This is actually documented.

    • jwz says:

      Well, all I see from AEDebugReceives is normal "open this URL" commands being sent, no reading, so I guess that's not it.

      I'm sure not wasting my time trying to decode every write() under dtrace or strace, because literally every time in the last 20 years I've tried to solve a problem using those programs I've burned hours, learned nothing, and solved the problem faster some other way.

      But let's not lose track of the fact that TweetDeck is a flaky, terrible piece of software and Twitter is a dumpster fire of a company.

  3. Line Noise says:

    In Linux I'd use strace. I'm not sure if there's an equivalent for MacOS.

    I use Hootsuite for Twittering. (Obligatory non-answer to your question.)

  4. Zach says:

    I've noticed the same pattern of TweetDeck on Mac crashing in the background a lot lately. You can use TweetDeck in an ordinary web browser, which should subject it to all the normal web content security rules, meaning it can only be as invasive as every other site on the web.

    Charles, as mentioned above, is the tool I would use to see if it is phoning home. You can set it up to install its own root certificate on your machine, so you can intercept your own HTTPS traffic and see exactly what it is sending back to the mothership.

    • Nick Lamb says:

      Full-blown Applications (as opposed to web apps) written by people who are thinking hard about this stuff tend to use Certificate Pinning, so they may reject your attempt to MITM them, or at least flag it and choose to behave differently.

      Bad Guys who have decided it's legitimate to snarf your browser history for their own ends ("to make our service more valuable") would definitely count as "thinking hard about this stuff" unfortunately.

      An effective thing that Apple totally could enable if (as some of their fans seem to believe) they were interested in fighting any of this rather than just making sure they get a percentage is: steal the transient session keys and decrypt the TLS channel that way. This doesn't interfere with Pinning, and could easily be built into Apple's Secure Transport API so that developers have to really go out of their way not to use it.

      I don't expect jwz to like this solution but: Don't run work stuff on your home gear. Yes even if you're the "owner" there may be, as in this example, compromises you make for work that you wouldn't make for yourself personally, you can partition those onto the "work" systems.

      • jwz says:

        Apple's desktop app sandboxing appears to be making some gestures toward preventing this sort of thing; e.g. to talk to iTunes via AppleScript, you need to specify a bunch of com.apple.security.scripting-targets stuff in the entitlements file. But sandboxing is still pretty much optional.

    • jwz says:

      One of the things that's so frustrating about Twitter -- even from the perspective of "I am trying to use your product as designed, like a good little Capitalist Tool" -- is that they still do access control via post-it note. I have dozens of employees whom I want to give the ability to post to the business Twitter account, and the only way to do that is to give them all the one-and-only password -- which allows them to change that password and lock everyone else out. So when one of those employees leaves, I have to re-spin and redistribute the password to everybody else.

      What year is this?

      TweetDeck fixes this on desktop, but even if running TweetDeck in a mobile browser works at all (I haven't tried) uploading photos would be horrible and uploading videos impossible, because web clients can't downscale the media before uploading like real programs can.

      Nobody has posted photos of our delicious pizzas for days because we are in the middle of just such a password fire-drill. It takes forever. Sigh.

      • Derpatron9000 says:

        "have dozens of employees whom I want to give the ability to post to the business Twitter account, and the only way to do that is to give them all the one-and-only password -- which allows them to change that password and lock everyone else out. So when one of those employees leaves, I have to re-spin and redistribute the password to everybody else.”

        Sounds like you should write an interface to which you have control, allowing your staff to send tweets.

        Check out the perl module Net::Twitter::Lite::WithAPIv1_1

        • jwz says:

          How about you re-read paragraph 3 and realize why that is no more workable than using a web client.

          • Derpatron9000 says:

            Horrible in terms of what?
            You could cater for both video and photo scaling via a perl script.

            • jwz says:

              FFS! Getting the video from the phone to the perl script without uploading the 1080p or 4K file over wifi is the part you cannot solve without a native app.

      • Zach says:

        If you setup "teams" for account sharing in TweetDeck once (either the app on Mac or in a browser), you can apparently use the shared accounts from the iOS and Android native Twitter apps. So you could give your employees access to your team from within TweetDeck, and they get an account selector thing in the normal Twitter app for posting photos and videos (with the usual possibility of "wrong account" hijinks). That will do whatever native app downscaling normally happens. Then remove people from the team from within TweetDeck if they leave.

        This is all stupidly cumbersome compared to Facebook's business manager tools, but it's probably enough to avoid the need for shared passwords.

        Anyway, your invocation of "delicious pizzas" caused me to click through to dnapizza.com to see the menu for said pizzas, because I am hungry, and the "Order online!" link leads to a Postmates 404 page.

        • jwz says:

          Ok, being able to use Teams on iOS is totally brand new and I didn't know about that. I'll check it out.

          Postmates: FUCKING AWESOME. I see they'd really rather not take our or anybody's money. I feel like all of these ordering and delivery companies are some kind of false flag operation to drive money to Uber.

          • dzm says:

            Also also, and just to be annoying - the bottom three images (the food images) don't load. When I look at the Firefox console I see:

            The resource at “https://pbs.twimg.com/media/DTNcvgTVwAAQ6Ew.jpg” was blocked because tracking protection is enabled.

            So FF 57 considers img links to Twitter to be tracking code and blocks 'em.

  5. Derpatron9000 says:

    This all sounds like a good reason not to use twitter at all...

    • jwz says:

      Sure! I'll stop using Twitter, Facebook and Instagram and really distinguish myself by being the only nightclub on the planet with no social media presence of any kind! That will make the money just roll right in, I'm sure.

      Thanks for your helpful insight!

  6. Russ says:

    If it's doing shady things that are causing crashes, quickest way to get some data out is valgrind.

  7. JP says:

    The problem is definitely not specific to your setup. I have been seeing the same issue. I got here by googling "safari causes tweetdeck to crash".

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.

  • Previously