New York Comic-Con hijacks attendees' Twitter accounts to send out shilling tweets


A hammer or a microwave for a couple seconds can fix that. (Be careful with the microwave and the hammer, for that matter.)

Hi boss! I’m not really at a funeral I’m motorboating some guy dressed as a genderbent Powergirl, in the middle of a Deadpool conga-line!

I love #NYCC!



I suspect that the twitter zombie goes on regardless of what you do with your badge - log on to your twitter and dis-enable the NYCC app permissions.

They seem to have stopped doing it— From Mashable:

UPDATE, Oct. 11, 10:55 a.m. ET: A representative sent Mashable the following statement:

As you may have seen yesterday, there were some posts to Twitter and Facebook issued by New York Comic Con on behalf of attendees after RFID badges were registered. This was an opt-in function after signing in, but we were probably too enthusiastic in our messaging and eagerness to spread the good word about NYCC. We have since shut down this service completely and apologize for any perceived overstep. Please accept our apologies and have an absolutely excellent time this weekend. -Your friends at NYCC

Why is this even possible? Facebook has the same problem where people “like” a company and that somehow gives the company permission to post in that person’s name. Who in the world thinks this is a good idea?


I’m sure companies think it’s a good idea until they get bad press for it, assuming they do. At least some of the crap Facebook pulls is unintentionally funny, though. At one point an ad popped for for me that said, “Sexy singles in your area are looking for you!” There was a picture of a “sexy single” who was a friend of mine, who was 1) married and 2) used a caricature portrait as his profile pic.

ZOMG! Posting on Boing Boing feels like warm onion-gravy running down your face.


I can see why the functionality is there on twitter. Being able to allow online services to post to your twitter can be a great thing. It allows for services like Hootsuite, where you can post to any social media site from one place. Or any other device or site that posts stuff automatically (that you want). Your GPS watch could tweet when you finish a run, and some people want this.

The problem is when companies hijack this service. I bet it was worded as something like “connect to my twitter”, then twitter had a list of granted permissions that people clicked through. They didn’t realize that “connect” meant “post whatever the hell this company wants about themselves, pretending to be me”.

The fix can’t really be on twitter’s end. It has to be what happened here. Outraged customers, bad press. Hopefully someone gets fired.

How much you wanna bet a bunch of people were totally ignored when this came up in meetings and they said “People will not like that.” The Happy Happy in the room told them not to be a spoilsport.


The good news is that, now most ComicCon attendees have learned not to hand over their Twitter password. The bad news is that’s what percent of America… point-lots of zeros-one? I think this trick is going to work over and over and over before most of us wise up.

What makes you think anyone handed over passwords?

All the signs of a deliberate spam run: “Opt in” yeah sure, I’ll bet less than one per cent knew they were “opting in” to anything.

You can tell the lawyers worked this over" “perceived” overstep… and “probably too enthusiastic” and “on behalf of attendees…”.

Total BS, they knew exactly what they were doing but were just too stupid to think anyone’d notice and object. Clueless marketing weasel activity.

For Sy[quote=“Boundegar, post:11, topic:11871”]
The good news is that, now most ComicCon attendees have learned not to hand over their Twitter password.

Stealing passwords is brutally retro: Twitter has a fully supported mechanism for the delegation of certain powers, to be carried out as though by the user, without any password sharing. Facebook and friends, most of the ‘social’ world have equivalents of various flavors.

Architecturally, I’m sympathetic. Secure capabilities delegation is absurdly superior to password sharing, and has legitimate and necessary uses (y hello thar sudo, we were just talking about you…); but realistically it has always made the hairs on the back of my neck rise a bit in the context of ‘social media’ services, whose primary purposes (in the hands of 3rd parties, who would be the access delegates) are almost invariably spam, data-mining, and the occasional splashy humiliation/character assassination of the account-holder. The fact that those miserable abhumans at Zynga made very, very, heavy use of these delegation capabilities in promoting Farmville and its vile ilk probably don’t help my feelings on the subject.

TL;DR: It almost certainly wasn’t a password breach, it’s a capability that ‘social’ companies (especially the starving ones with minimal revenue models, like, oh, Twitter) almost invariably have, largely for the benefit of their real customers, and no, nobody will learn anything.

1 Like

Never ascribe to cluelessness what would be the natural behavior of evil…

Heh, “perceived overstep.”

Talk about sleaze.

Normally I’d agree but marketing “experts” live in a very isolated bubble
in which everything is filtered by their own hype and after a while, they
start thinking they understand “what people want” and start believing that
their opinions are reality.

Look up the history of the Ford Edsel, “The Car America Wants!”, to see
just how deeply they can get themselves embedded into their own artificial
reality and how badly they understand things.

Being twitless, I had no idea. I have a very happy feeling today about my lack of social media.

So, like some sick little cult, except with a nigh-unlimited budget for ad buys across virtually every medium in the developed world?

Somebody should go back and warn the Sumerians about where this ‘civilization’ nonsense is going to lead.

1 Like

I try to avoid the stuff myself; but the architectures (whether the actual code, things like OAuth are reasonably common, or just the concepts) crop up in all sorts of places, with social media just being the one where humanity’s more…malignant facets… tend to crawl around them.

Impersonation has loads of banal use cases, often actually beneficial, in computer systems (hypothetically, for instance, you could use’s Twitter’s OAuth mechanism to ensure that your phone, with its high odds of being lost or stolen, can allow you to tweet without retyping your password and without storing it at all, instead just storing an OAuth token that you can revoke should you lose the phone, or it be revealed that the maker of the app you were using is an unethical scumweasel hoovering up contact data for marketing purposes…) You also see it in system security (in Windows, the UAC ‘elevation’ process which allows you to run at low privileges most of the time; but makes adopting high privileges when needed much easier than logging out and logging in as admin. Similar admin credentials prompt mechanism on OSX, sudo or su on Linux and the traditional unixlikes) and in various groupware scenarios (show me an organization with an Exchange server, and I’ll show you an organization where the secretary probably has read/write access to the boss’ calendar, to manage it and schedule meetings and such).