The recent reports of hacking on Twitter, where accounts of known celebrities were taken over, are a bit misleading, according to new information. However, the hacking -- as it were -- raises some serious questions about development and password security.
Twitter account hijackings raise concerns over account protection (IMG:Twitter/J.Anderson)
The story starts with a total of 33 accounts. These accounts were taken over after someone gained access to a single Twitter employee's account.
With control over the account secured, the person, known only as 'GMZ' (an 18-year-old who, according to some posts online, has never hacked anything before), was able to reset the passwords for any Twitter account using tools provided to the employee account.
Ultimately, this is not such an interesting hack, not even big news.
It was only because some of the accounts were attributed to celebs, such as Bill O'Reilly, Rick Sanchez, Britney Spears, Kevin Rose, and others, that any attention was paid to the story. Yet, the media hype duly kicked into overdrive because, aside from the listed names, a certain Barrack Obama had his account hijacked too.
Technology site Wired has posted an interview with GMZ. Those wishing to witness the would-be hacker's 15 minutes of fame can do so by clicking the link.
The problem with Twitter is not that the accounts were taken over, but rather that the hijacking was allowed to happen in the first place. Because Twitter had no limits on failed password attempts, GMZ was able to guess at the employee's account password indefinitely without fear of consequence.
Another problem is that GMZ’s password guessing attempts used a simple English dictionary. The account password, later revealed to be 'Happiness', was entirely too weak and, as a savvy Web 2.0 company, Twitter really should have known better.
On the Twitter blog, the company had this to say about the pending resolution for these problems:
“We are engaged in a full security review of all access points to Twitter. In the meantime, we are taking immediate action. First, we are increasing the security of our sign-in mechanism. For added security, we are further restricting access to our support tools. Events like this will happen from time to time to services like ours and its important how we conduct ourselves and that we take this as an opportunity to make Twitter stronger.”
Sadly, events like this do happen. However, eyebrows are likely being raised because acccess could have been prevented. Why was there no password lockout system in place to respond to failed attempts, and why was an employee allowed to use such a simple password on their account?
The key to preventing this attack, from a development side of things, is to implement a password policy that protects the system as well as the user accounts. That means lockout code for failed attempts, and regular password audits and mandatory password rotation.
The account hijacking is only one of the issues Twitter has faced recently. The company also had one hell of a weekend after Phishing attempts were made on more than one account using direct messages. Like the account hijacking issue, Twitter took measures to fix the Phishing issue as well.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)