What the Hell is Going on With Twitter's Security?

17 Points

Wow, that really is a ton of egg on Twitter's face.

The revelation from Techcrunch's Michael Arrington that at least 300 highly confidential, internal Twitter documents had been stolen by a hacker and sent to his inbox should have been a shocking one. Unfortunately for the microblogging platform, it wasn't - Twitter is on its way to becoming synonymous with "terrible security," in particular on the part of its administrators and back-end staff. Back in May, the social network's admin panel was compromised by a hacking known as "Croll Hacker," who claimed that he was able to hack one of Twitter's admin accounts by guessing the password - which was, simply, "happiness."

Now, that same hacker is claiming to have successfully "hacked" Twitter accounts, Gmail accounts, and dozens of other network logins and passwords belonging to Twitter employees and even co-founder Evan Williams and his wife. He claims to have collected hundreds of pages of confidential documents, including information on Twitter's business plan (world-shattering shock: they're gonna make money though account verification and Google AdSense), their projections for the coming years (25 million users by EOY 2009, 100 million by EOY 2010, and 350 million users by EOY 2011), lists of interviewees (potentially very damaging for people who're interviewing at Twitter while still working for their current jobs)...the list of sensitive information the hacker claims is in the document package is staggering.

According to a post on a French website, Korben.Info, the hacker didn't use brute-force password cracking, keylogging or any other "technical" hacks; he simply used the password recovery features of popular websites like Gmail, Amazon, and MobileMe.

From a translation of that original French post:

He had access to the Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts of Evan Williams, Sara Morishige Williams, Margaret Utgoff and Kevin Thau (twitter employees).

All of which begs the question, What the hell is going on with Twitter's security? It should be a no-brainer that a service as massive as Twitter is going to be the target of fairly complex attacks, both technical (hacks) and non-technical (social engineering). It's likely that the latter played a significant role in the hacks, since Hacker Croll himself hasn't displayed any particularly extensive knowledge of hacking or password-cracking; rather, it's more likely that he's an extremely clever individual with a solid understanding of social engineering and how easy it can be to get someone to give up their password if you ask the right questions.

Korben.info offered what is allegedly a quote from Hacker Croll himself on the topic:

"What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices.And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them."

Meanwhile, Evan Williams confirmed to Michael Arrington at TechCrunch that some password-cracking had occurred, confirming that his wife's Gmail Account had been hacked, as well as several others, but stopping short of confirming that the hacker in question had, indeed, compromised as many accounts as he claimed. From Williams' email to Arrington:

Some notes:
- He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
- There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
- He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

The Twitter co-founder went on to express distress at the compromise of security.

"Distress" is exactly what we're feeling right now, looking at how weak security seems to be on Twitter's back-end. At a company of that size, of that importance, every single employee from the CEO to the janitor should be intimately familiar with social engineering techniques, should use incredibly secure passwords (12+ digits, upper- and lower-case mixed, numbers and special characters), and should use complex answers to "password recovery" questions. "What is your wife's maiden name" might cut it for me, who nobody knows, but in the case of a person like Evan Williams, information like that is simply too easy to come by; other solutions must be reached (such as encrypting password recovery questions with a cypher, for example).

It was embarrassing last May when Hacker Croll was able to guess one of Twitter's admin passwords. That was the point when Twitter should have woken up and taken whiplash fast steps to strengthen their security, starting all the way at the top of the food chain and ending all the way at the bottom. How many more high-profile security breakdowns is Twitter going to have before they wake up and smell the coffee?

We'll be covering the details on this information leak as we get them in the coming days; we're expecting several high-profile news sites (as well as the ubiquitous Wikileaks to release some of the documents publicly within the next few days.

Jul 15, 2009
In:

Share this post on:

  • del.icio.us
  • Digg
  • Twitter
  • Facebook
  • Google
  • MySpace
  • Reddit
  • StumbleUpon
  • Technorati
Comments
Twittown Comments
Submitted by Rob on Jul 16, 2009 17:43 says:
  • 0 votes

I do think it's important to point out that the vulnerabilities here aren't really "Twitter vulnerabilities" per say - they haven't compromised the security of the Twitter platform itself (although the screenshots of the admin panel have given Twitter spammers a good idea of what little they're up against), but rather that they've exposed Twitter The Company. So people shouldn't worry too much about their Twitter accounts; rather, they should worry about a company that can't even seem to create strong passwords for its own admin panel, and can't seem to train employees on how to safely store login credentials for important websites like Google Apps.

So the verdict is: Twitter is still as safe to use as it ever was - although now might be a good time to change those password recovery questions for your Gmail account. That's why whenever anyone asks what my mother's maiden name is, I always say it's Barnaby Jones.

Submitted by Alex Nash (not verified) on Jul 16, 2009 00:32 says:
  • 0 votes

It's actually amazing how a company/service with so so many holes in the basic fundamental architecture has become the hottest online tool over such a short time. And these holes aren't just hidden in the background with security issues but are spread all over the site as you say. If any other website was so frequently crashing/crawling/lax then it would be soon abandoned by its users in search of something new. But not twitter.

In my opinion the only reason that Twitter has been able to avoid a mass exodus of users as a result of its problems is that is has built up such an enormous name for itself, not only online but offline. The ideology of Twitter was/is such a revolutionary idea that people are willing to overlook the blaringly obvious problems that exist with the service and simply accept them. They move on, they don't care, all they want to do is Tweet!