New York Jets Wide Receiver David Clowney joined a new support group recently. The “no-I-didn’t-say-that-on-Twitter-what-do-you-think-I’m-nuts?” club.
Clowney and a growing number of celebrities, politicians, and other high profile individuals have had their Twitter accounts compromised, only to have the hacker send out humiliating tweets to the online world. Though most attacks haven’t lasted more than a couple minutes, the situation is embarrassing for both Twitter and the megastar, or even average Joe, who has to explain what happened.
Clowney’s Twitter account hack has been one of the worst so far with the attacker going on for hours, swearing at and insulting bewildered fans. Other notable hack attacks include the Fox News Twitter account, where comments about Bill O’Riley’s sexuality popped up, and the Britney Spears Twitter feed, where the assailant posted extremely distasteful remarks about the pop superstar, as well as references to Satanic worship. CNN’s Rick Sanchez, President Barack Obama, and The Huffington Post have all had their tweets hijacked too with disturbing results.
The majority of Twitter account hackings occurred back on January 5, when 33 tweeters had their accounts put into lock-down phase after Twitter discovered an infiltration. The company released a statement on the Twitter Blog, saying the hacker had “hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck.” Twitter responded by moving the support tools offline for a period. Additionally, Twitter officials claimed they were undertaking a “full security review of all access points” at the time determine the problem, while increasing sign-in security.
Currently, the company is working on a beta version of Twitter Verified Accounts – a method of determining the authenticity of users who establish Twitter accounts. In other words, making sure Britney Spears or an official agent of Britney Spears is setting up the Britney Spears Twitter account. However, this system doesn’t address who is writing the tweets on each account.
Even social networking giant Facebook hasn’t completely resolved the hacking problem with the rash of worm viruses, phishing and spam attacks, and money transfer scams Facebook users have been bombarded with in the last year. In Facebook’s defense though, the top networking site does provide a comprehensive Q&A to warn users and help them address the problems themselves. Facebook’s latest problem: worm pimps, designed to entice even the most stalwart social networker into visiting naughty sites.
Twitter’s security problems fall far outside of “rogue tweeters.” In June a hacker comprised delicate company information, including Twitter staff PayPal passwords and other internal documents, and e-mailed them out to various companies. So when can we expect Twitter to clean up it’s security act, and how? Perhaps all that’s needed is a series of questions to access each account, like those employed by financial institutions, to better weed out the fakes.
Currently, Twitter and other Silicon Valley companies are beta testing the OAuth, open protocol system. The technology would allow Twitter users to use applications without having to give away account information. Whether or not the protocol will help or hinder Twitter’s security difficulties though, preventing defamatory tweets from being broadcast to hundreds of followers by phonies, remains to be seen.
2 comments ↓
Celebrities having their Twitter accounts cracked doesn’t seem like a new problem, and indeed Britney did report herself dead via Twitter back on June 28th. But there is a difference, and that is that many of the openings for easily brute forcing the Twitter password via the web site have closed. Note I said easily, don’t spam the comments with speculation on how the account was compromised (unless its high quality speculation), we know quite well that Twitter is still far from security nirvana.
Twitter has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation on login that shows up when you enter too many bad authentication attempts, a key difference in the process from when the rash of prominent account break-ins occurred earlier in the year (including the notable crack of a Twitter admin’s account). Twitter has more recently started to lock out accounts for an hour when they provide too many bad passwords (a lousy idea from a security perspective, but we’ll get into that some other time).
In Breaking Twitter we showed how Twitter rate limits were not enforced as advertised in their API documentation, allowing brute force of passwords via the API. Well that hole has somewhat closed.
From:
http://praetorianprefect.com/archives/2009/11/not-the-haus-of-gaga-too/
[...] for reaching the 350 million user milestone, and let us hope that other social media companies (Twitter comes to mind) show the same level of commitment to [...]
Leave a Comment