Twitter hijacking

| Comments (1) | SYSSEC
Computerworld reports that a bunch of famous people's Twitter accounts were subverted and used to send quasi-embarassing messages:
"This morning we discovered 33 Twitter accounts had been 'hacked,' including prominent Twitter-ers like Rick Sanchez and Barack Obama," Twitter co-founder Biz Stone said in post to the company blog. "We immediately locked down the accounts and investigated the issue. Rick, Barack and others are now back in control of their accounts."

Earlier in the day, the hacked accounts had been used to send malicious messages, many of them offensive. CNN correspondent Rick Sanchez's account, for example, tweeted a message claiming that "i am high on crack right now might not be coming to work today," while Fox News' Twitter update reported "Breaking: Bill O Riley [sic] is gay," referring to the network's conservative talk show host.

According to Twitter, the accounts were hijacked using the company's own internal support tools. "These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the e-mail address associated with their Twitter account when they can't remember or get stuck," Stone admitted. "We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure."

I would be interested to hear more about exactly what happened with the support tools—though I doubt we will. It's easy to imagine a bunch of vulnerabilities in these tools (remote compromise, predictable URLs, insecure address changes) and most of them are easily fixed. However, even if the tools are implemented correctly, account recovery is one of the most challenging problems for this kind of application. The basic problem is that you don't know that much about your user other than their username and password, so it's very hard to distinguish an attacker from a user who has forgotten his password. The two conventional techniques are "security questions" ("what's your mother's first pet's maiden name and when did it graduate from high school?") and email recovery ("we've sent a message to the email address you registered with. Please click on the link in the message"), but neither of these is really that great for reasons the security community has hashed over ad nauseum. Obviously, we can make account theft harder by creating a tighter relationship with the user (get more personal information, have him pay for access so you can double check is credit card number), etc. However, this comes at a convenience and effort cost. Unless you're willing to make password recover incredibly painful, it's pretty hard to reduce this risk down to the level where a dedicated attacker wouldn't have a shot at cracking some people's accounts (and that's not to mention the use of weak passwords). This isn't to say, of course, that Twitter's tools aren't broken. As I said, I don't know much about that.

What I find interesting about this attack and most other "content" hijacking attacks you hear about (e.g., Web sites) is how lame they are. The attackers take over someone's site and then post something transparently forged that is supposed to be embarassing to the victim. Surely if you were serious about it you could generate some content which would be credible and much more damaging (remember when Google replayed an old article and tanked United's stock price?). The more that organizations use the Web, Twitter, etc. as primary communication mechanisms, the more effective this is going to be.


Leave a comment