Over the last 24 hours Twitter has had more security-related publicity, thanks to what appears to be a breakdown in security practices by a staff member. A total of 13 images, taken by someone known as 'Hacker Croll' were posted to a French blog and a Warez forum, which detail the backend administration used by Twitter staff.
Twitter confirms admin account compromise. Image: Twitter.
Skeptics called the images as suspect early on but, late yesterday evening, Twitter confirmed the images were legitimate along with the unauthorized access of the administration account.
The images first appeared on the French blog Korben. Later, the same set of images, plus one of an e-mail account, was posted by Hacker Croll on the Warez Scene forum. The problem is that the French blog does not identify the person responsible for the administrative access to the Twitter domain.
At the same time, on the forum, Hacker Croll said it was a Yahoo account that had been accessed. This was done by way of guessing the secret question associated with the password reset options, which led to the Twitter password. Yet, Hacker Croll posted a Gmail-related screen capture.
“I've used social engineering only, no exploit, no [XSS] vulnerability, no backdoor, [no SQL] injection,” Hacker Croll wrote. “[One] of the admins has a yahoo account, I’ve reset the password by answering to the secret question. Then, in the mailbox, I have found her twitter password.”
The timeline and the reference to Yahoo is where Hacker Croll’s claims start to get confusing. There is a reference to a “her” when it comes to the e-mail account Hacker Croll compromised. However, Twitter’s own Jason Goldman reported on Monday that his Yahoo account had been “hacked”. In addition, the Gmail image posted, while detailing an e-mail addressed to Goldman, is not the Yahoo account in question.
The claim that it was a Yahoo e-mail account that held the Twitter staffer’s password, matched with Goldman’s claim that his Yahoo account had been compromised, led some to speculate his admin access was used by Hacker Croll to thumb through the admininstration area.
In the Twitter blog post confirming that the screen captures of the admininstration area are authentic, Twitter does not name the staffer whose credentials were used.
Moreover, it could be that Hacker Croll doesn’t use English as a primary language, or perhaps staked a claim for an act that wasn’t his to begin with. No one knows for sure. However, since Twitter confirmed the breach, and the images prove it, we know someone was in the administration area.
“This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access,” Twitter wrote on its official blog.
The accounts, including those held by Barack Obama, Ashton Kutcher and Britney Spears, are all seen in the posted screen captures.
“Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user. We have personally contacted Twitter users whose accounts were compromised via this unauthorized access,” added the Twitter post.
This is not the first time someone has used a staffer’s access to rummage around on Twitter’s backend. Earlier this year, someone known as 'GMZ' used the password from a support team member’s account to access the site and post as various celebrities.
Likewise, the idea that you can compromise an e-mail account by using secret questions to reset the password is a trick that is becoming the norm these days.
The links below cover some of Twitter's past regarding account hijacking and security issues.
The Tech Herald: Twitter hijackings raise concerns over account protection
The Tech Herald: Twitter attack - 750 accounts confirmed compromised
The Tech Herald: Twitter suffers Easter weekend problems
The Tech Herald: Palin hack highlights important e-mail risks
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story