Comments on: What Can Twitter Do About Hacking? http://www.reputationdefenderblog.com/2009/11/25/what-can-twitter-do-about-hacking/ ReputationDefender Blog | Online Privacy, Online Reputation Management, Identity Management Wed, 10 Mar 2010 06:33:52 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Reputation Defender : Facebook Shutting Down Regional Networks, Improving Privacy Controls http://www.reputationdefenderblog.com/2009/11/25/what-can-twitter-do-about-hacking/comment-page-1/#comment-10449 Reputation Defender : Facebook Shutting Down Regional Networks, Improving Privacy Controls Wed, 02 Dec 2009 21:29:37 +0000 http://www.reputationdefenderblog.com/?p=1625#comment-10449 [...] for reaching the 350 million user milestone, and let us hope that other social media companies (Twitter comes to mind) show the same level of commitment to [...] [...] for reaching the 350 million user milestone, and let us hope that other social media companies (Twitter comes to mind) show the same level of commitment to [...]

]]> By: Prefect http://www.reputationdefenderblog.com/2009/11/25/what-can-twitter-do-about-hacking/comment-page-1/#comment-10367 Prefect Thu, 26 Nov 2009 02:40:05 +0000 http://www.reputationdefenderblog.com/?p=1625#comment-10367 Celebrities having their Twitter accounts cracked doesn’t seem like a new problem, and indeed Britney did report herself dead via Twitter back on June 28th. But there is a difference, and that is that many of the openings for easily brute forcing the Twitter password via the web site have closed. Note I said easily, don’t spam the comments with speculation on how the account was compromised (unless its high quality speculation), we know quite well that Twitter is still far from security nirvana. Twitter has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation on login that shows up when you enter too many bad authentication attempts, a key difference in the process from when the rash of prominent account break-ins occurred earlier in the year (including the notable crack of a Twitter admin’s account). Twitter has more recently started to lock out accounts for an hour when they provide too many bad passwords (a lousy idea from a security perspective, but we’ll get into that some other time). In Breaking Twitter we showed how Twitter rate limits were not enforced as advertised in their API documentation, allowing brute force of passwords via the API. Well that hole has somewhat closed. From: http://praetorianprefect.com/archives/2009/11/not-the-haus-of-gaga-too/ Celebrities having their Twitter accounts cracked doesn’t seem like a new problem, and indeed Britney did report herself dead via Twitter back on June 28th. But there is a difference, and that is that many of the openings for easily brute forcing the Twitter password via the web site have closed. Note I said easily, don’t spam the comments with speculation on how the account was compromised (unless its high quality speculation), we know quite well that Twitter is still far from security nirvana.

Twitter has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation on login that shows up when you enter too many bad authentication attempts, a key difference in the process from when the rash of prominent account break-ins occurred earlier in the year (including the notable crack of a Twitter admin’s account). Twitter has more recently started to lock out accounts for an hour when they provide too many bad passwords (a lousy idea from a security perspective, but we’ll get into that some other time).

In Breaking Twitter we showed how Twitter rate limits were not enforced as advertised in their API documentation, allowing brute force of passwords via the API. Well that hole has somewhat closed.

From:
http://praetorianprefect.com/archives/2009/11/not-the-haus-of-gaga-too/

]]>