Taking the Tweet out of Twitter

By hmu2 at 6:17 pm on January 7, 2009 | 12 Comments

According to a recent New York Times article, the popular “micro-blogging” site, Twitter, has been the victim of a series of recent hacking and phishing attacks. The article explains that 33 member accounts, most of them belonging to big-names like President-elect Obama and Brittany Spears, were hijacked by an attacker who gained access to Twitter’s support team tools. The attacker recovered email addresses and passwords associated with user accounts and posted obscene and inappropriate updates. Twitter users also became the victims of phishing by receiving emails with links to “Free iPhones”, which directed them to a spoofed Twitter login page.

This site has been steadily gaining popularity, which the article states, may have been reason enough for an attacker to exploit the vulnerabilities in the support tools. Being a small but quickly-growing company Twitter also may not have had the funding or the time to put as much thought into the security of their tools as was necessary.

As it did not state exactly where or what the vulnerability was in the article, it is hard to say what sort of security measures Twitter could have used to prevent such attacks. Stronger authorization requirements for the support tools and more secure user authentication practices could probably have been used, but the very fast response time to these attacks is an indicator that Twitter does have security measures in place to quickly detect an attack. Both the limited number of account that were hijacked and the almost immediate removal of the faulty tool reflect some positive light on an otherwise negative situation.

One of the major concerns people had when they discovered that their account passwords had been compromised was that this password was the same for many of their other personal accounts such as PayPal, email accounts, bank accounts, etc. This could obviously lead to a huge breach of personal privacy far worse than “twittering” inappropriate comments. Another ethical issue that arises in a situation like this is damaging the reputations of not only the site itself, but of individuals who may “say” something that reflects badly on their political position or general reputation. The attacker also could have used the hijacked accounts to start a major scare of some sort (a disaster, a terrorist attack, an assination, etc.) among Twitter’s growing user base, which could have had world-wide security implications.

After these attacks, Twitter plans to use a third party authentication program so users can provide additional personal information to login via a third party, thus making it more difficult to hijack their account by obtaining only their password. Users should realize the potential dangers of these kind of attacks and take stronger measures to ensure the safety of their passwords and be more aware of suspicious links and spoofed sites.

Filed under: Current Events12 Comments »

12 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by k

    January 7, 2009 @ 7:46 pm

    As it did not state exactly where or what the vulnerability was in the article, it is hard to say what sort of security measures Twitter could have used to prevent such attacks.

    It turns out that the attacker gained access simply by executing a brute force attack against an employee’s password. Interestingly, he originally thought his victim was simply a popular user, and only discovered he had access to support tools after he had performed the initial attack.

    You’re right that stronger authorization practices should be required – I’m surprised that they allowed an employee to have a password as simple as “happiness”. Additionally, there should be measures in place to detect and block such brute force attacks in the future.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Alan

    January 7, 2009 @ 8:50 pm

    Appears to have been a result of a simple brute-force dictionary attack: http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Sunetra Deshpande

    January 7, 2009 @ 9:06 pm

    I agree that Twitter was a small company and security may not have been the top priority. However, from the following article http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

    we can show that the dictionary attack mounted against Twitter could have been prevented by introducing password complexity and simple lockout mechanisms such as limiting the number of rapid-fire login attempts.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Joylynford

    January 8, 2009 @ 3:55 am

    what ever my concern is that will the third party authentication program will safe guard the users details.

  • 5
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Tania Heim

    January 8, 2009 @ 10:50 am

    I found some more information about how the hacker was able to do what he did at: http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
    The hacker selected a user who happened to be a Twitter employee and ran a program he wrote to guess the employee’s password which was “happiness”. Because the employee’s password was so weak and because Twitter allowed unlimited password attempts it was easy for the hacker to access the employee’s password. He was then able to use the employee’s administrative privileges to reset users’ passwords and gain control of their Twitter accounts.
    Most people only think about password security when they are protecting financial assets but, hopefully, this attack forced both Twitter and its users to begin to comprehend the damage that can be caused any time a password, and thereby an identity, is stolen.

  • 6
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Sean Miller

    January 8, 2009 @ 3:33 pm

    From reading the article the others have posted, it seems that Twitter had skipped over fairly basic security measures that could have prevented this attack.

    With the rising popularity of social networking sites that we have seen in the past few years, it’s surprising that a brute force attack was not detected by Twitter, let alone that Twitter does not enforce a more complex password. Even Facebook only requires a password of six characters in length and goes on to list suggestions of what a person might do to make their password more secure (numbers, capital letters). With the further integration of these websites into our lives through mobile devices, it would be in the best interest of them and their users to reevaluate their current security measures.

  • 7
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Ziling Zhao

    January 9, 2009 @ 12:40 am

    The idea that it was brute force able like that amazes me, unless he proxied his attack through multiple IPs.

    Linux and it’s brethren reject after 3 attempts, with a significant pause in between guesses that makes brute forcing infeasible. I’m assuming the developers are using either Mac or Linux being that the application is written on rails so they *must* have encountered this at some point.

  • 8
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Eriel Thomas

    January 9, 2009 @ 9:52 am

    It seems that the weakest part of a security system is almost always the human element. In this case, the weak password was most definitely human error.

    What I think is more interesting than the attack itself is the motivation behind the attack. It was stated in the Wired article that Tania linked to that the attacker, an 18 year old, only wanted to pen-test the system for fun and to see if he could do it. After gaining access, he claimed that he didn’t even want to make use of the newly gained assets (the user accounts). Instead, he took requests on a forum for accounts to which people wanted access. The attacker was involved with a similar situation with YouTube where he gained access to Miley Cyrus’s account and then gave this access to a friend (who went on to post a memorial video claiming Miley’s death). This attacker who broke into Twitter claimed that he did not even use a proxy as means of security. Clearly he wasn’t overly malicious in intent. Although he may have ethically crossed the bounds by trying to take advantage of his nefariously gained access (giving the access to others), he did not abuse the system himself. My question to others is this: How should this class of “prank” attacks be punished? This idea of “doing it for the lulz” or compromising systems for entertainment seems to be becoming more popular. With sites such as 4chan.org where people try to compromise systems just for laughs (compromise in various ways such as adding DOSing or adding juvenile content, etc). This can be seen through the Sarah Palin email incident where a user from 4chan broke into Sarah Palin’s email account. Seen as entertaining without mischievous rather than harmful connotations by the people who make these attacks, how should these people (in many cases younger teenagers) be dealt with.

    Although the article itself presents the issue of security specifically with twitter, I think the issue that needs to be addressed is the consequences of this growing movement of attacks as entertainment. This may have been the case in the past, but with the growing amount of online exposure and information online, these digital pranks are becoming especially prevalent. Fixing the security of these sites is a necessity, but this helps to address only the symptoms. What should be done to punish those who perform these attacks? What should be done to address the root cause?

  • 9
    Get your own gravatar for comments by visiting gravatar.com

    Comment by devynp

    January 9, 2009 @ 2:39 pm

    On the sign-in process itself, apparently there are many obvious security holes that Twitter introduced, which was easily used by the attacker to compromise an user (admin)’s system. Not only does Twitter not limit the maximum number of failed login attempts and not require strong combination of password, but, after I tried experimenting with Twitter, apparently the user names are also displayed publicly. This makes it easier for the attacker because he only needs to try different password combinations. If displayed name weren’t the same as user name, the user (and the other adversaries) have to guess both username and password to be able to login to accounts, thus creating two-factor authentication.

  • 10
    Get your own gravatar for comments by visiting gravatar.com

    Comment by beenen34

    January 9, 2009 @ 6:02 pm

    In response to Eriel’s post, it certainly is an interesting issue of figuring out how to address security attacks for entertainment value. Juvenile corrections time would seem harsh (nor are the programs likely suited to handle corrections for crimes or pranks of this nature), but the truth is far greater assets are at risk through security attacks than through simple theft or other teenager crimes and pranks.

    Perhaps one partial remedy to the solution is some education at the primary or secondary level of basic computing knowledge and some know how to protect your personal information on computers. There’s certainly a vast amount of material that is constantly changing to cover and resources for schools would be a major issue, but the computers are such a major part of our everyday lives now that some knowledge should be expected of the public users. I wouldn’t suggest people should have a computing license to use a computer, but we have driver’s education because cars are tool’s that require responsibility to use and can cause significant damage that are part of our every day lives, why not something similar for computers?

    This doesn’t necessarily address the issue of punishment or response completely, but I think education could be a significant step in the right direction for people to learn how to protect their personal information by say, picking a better password than ‘happiness’.

  • 11
    Get your own gravatar for comments by visiting gravatar.com

    Comment by elenau

    January 9, 2009 @ 9:09 pm

    I agree with previous posts, on that it is surprising that Twitter did not require stronger password combinations, especially for the employees with special access permissions to the website’s resources. It is also unfortunate that the website does not limit the number of login attempts, which seems to be a common practice, since this could be enough to save the trouble for Twitter of cleaning up a mess that this attack has caused.

    It should be noted, that the consequences could have been much worse, if the attackers happened to act in a more silent and unnoticeable way under other people’s identities with the intention to steal important information, rather then just posting messages.

    I find concerns, that people had about having similar passwords for their PayPal, email, and bank accounts, unnecessary. I do not see why it “could lead to a huge breach of personal privacy far worse”, since the article describes that the attacker could only reset the passwords of other account users, but not find out their exact combination.

    I am together with Eriel, on his comment that “the weakest part of a security system is almost always the human element”. Many internet users are not aware of how easy it can be to break into their accounts with a simple brute-force dictionary attack. I feel that it is company’s responsibility to point this out to people, when they create an account, by suggesting stronger passwords.

  • 12
    Get your own gravatar for comments by visiting gravatar.com

    Comment by eyezac

    January 9, 2009 @ 10:30 pm

    I agree with Beenen34 that pranks like this pose less of a threat than more organized attacks with specific, malicious goals. Yes, they are violations of people’s privacy/property, and because of this they should–ideally–be stopped. But they are also a *relatively* benign way of exposing security weaknesses, and may actually diminish the risk of more serious attacks. In other words, it’s a good thing this mischievous kid hacked Twitter before someone with more evil intent could do so. Maybe instead of asking how people like this should be punished, we should ask how we can best take advantage of their exploits.

RSS feed for comments on this post