Important Question about API Scam

[Cryptoababe]

I asked this question on a post but I got no response so I decided to make new thread to get the attention of people who understand my questions more.

I ask question about this particular subtopic

Api scam: Avoid unrecognized Api services that aren't recommended by your exchange, if you must use Api on third party App, contact your exchange support if their services are legit and secure.

My Question Is
What about the Telegram bots (API) or website which ask you to connect your twitter or Reddit account to be able to participate in their social media task so as to earn tokens. Is there any possible scam or compromisation of social media accounts?

[tranthidung]

How do you define the term of connection? If the connection requirement is leave links of your account on Reddit, Twitter like bounties often do, the risk is smaller (of course there are always risk when you disclose more details of your accounts).

I don't use API but you can imagine a similar requirement in bounties when companies require bounty hunters to finish KYCs only to receive their shit tokens. Do you realize such risks when you exchange your identities to receive shit tokens? Why KYC is extremely dangerous – and useless

About API, maybe what you mentioned are free APIs. Free sometimes contains risks.

[Charles-Tim]

What about the Telegram bots (API) or website which ask you to connect your twitter or Reddit account to be able to participate in their social media task so as to earn tokens. Is there any possible scam or compromisation of social media accounts?

Normally, there are different types of scam, there are scams called API scam, they have sites that looks similar or identical to normal legit site, the scammers target victims in a way the victim login through the fake link provided by the scammers, from there, the scammers will be able to access the users account if the user uses the fake phishing link to login into his/her account. This is a common type of scam now.

Very possible social media account can be compromised, I have seen two to three cases like that, even to the extent the scammers will compromise the social media account, chatting with the the victim friends which can lead to their friend being scammed can follow, thinking the account owner is the one chatting with him not knowing it is a scammer.

Any account can be compromised by malware, and about API, your login details can be known, they all make use of malware to compromise peoples accounts. That aside, also know that these malware can compromise anything related to the victim. We should be careful of these attacks.

About API, maybe what you mentioned are free APIs. Free sometimes contains risks.

The OP is referring to web API keys, when the scammers comoromized the account already by knowing the login details, then this opens access to the API key, then possibility to control the victim's account. The victim may not know until he lost funds on the account.

[DdmrDdmr]

<…>

The former API scam quote goes on to warn people from handing out API access to their Exchange to third-party apps such as trader bots or other type of Apps that connect to your Exchange account. Since the API may be authorised to allow the third-party to interact on the Exchange on your behalf you need to know exactly who and what you are giving access to your API keys.

I’m not sure how that related to the other part of your post. If you are doing social media tasks from your account, you are not giving potential control over to a third-party entity.

Nevertheless, sometimes a website may require you to connect to it through credentials such as your Facebook or Google credentials. On these occasions, the website using your Facebook or Google credentials as a way to identify yourself, should only receive a token (not your password), but is not uncommon for the API to reveal other information to the website, such as your age and name. It’s also not discardable that some site may create a dummy screen to capture your credentials, and forward them to the Facebook or Google API to seem legit. 2FA should avoid this from happening successfully I figure.

Facebook should be notifying you the exact information they share with a site on which you sign on using their credentials, but I’m not aware if that has rolled-out yet (see https://www.helpnetsecurity.com/2020/01/16/facebook-login-third-party-apps/). But hey, you safe having to deal with an extra pair of credentials when login in to a site that allows for Facebook credentials to be used …

[Cryptoababe]

So, API scams are of different types. Which means it's somehow safe to connect social media account trough API but not fully safe. Account can easily get compromised and 2factor authentication can make account safe.
Also, there are some fake sites created like API just to steal accounts.
Thanks for all your response. Now I understand better.

[Charles-Tim]

So, API scams are of different types. Which means it's somehow safe to connect social media account trough API but not fully safe. Account can easily get compromised and 2factor authentication can make account safe.
Also, there are some fake sites created like API just to steal accounts.
Thanks for all your response. Now I understand better.

Also about the use of 2fa, you are right, it helps protecting accounts, but for safety, it will be better to have the 2fa on another safe device other than the device you use to access the 2fa-eanbled-accounts.