Phishers hit Twitter

Over the past week­end, phish­ers have been tar­get­ing Twit­ter users with direct mes­sages or DMs that include a link. Twit­ter man­age­ment has acknowl­edged the prob­lem, and revealed in this morning’s blog post that 33 accounts were affected — see Mon­day Morn­ing Mad­ness for details.

The link that is sent in these phish­ing mes­sages usu­ally opens up a page that asks the tar­geted user to enter their Twit­ter user­name and pass­word. Once the phisher cap­tures the cre­den­tials, they login to the victim’s account, change the pass­word and email address, and start send­ing out DMs to every­one on the victim’s con­tact list. The direct mes­sages usu­ally include a link that promises some­thing valu­able like a gas card or a gift card.

Twitter’s pro­file man­age­ment sys­tem allows users to log in and change their email address with­out any con­fir­ma­tion step. So as long as some­one has another user’s Twit­ter cre­den­tials, it’s very easy to hijack a twit­ter account. SO far, it appears that the fol­low­ing Twit­ter accounts are among those that were hijacked over the weekend:

• Barack Obama
• Brit­ney Spears
• CNN
• Fox News Network
• Face­book

Dozens of web sites have set up legit­i­mate ser­vices that pro­vide sta­tis­tics, fil­ters, photo shar­ing and other fea­tures for Twit­ter users. My tweets show up in my Face­book sta­tus mes­sage, and in my pages on Friend­Feed. I didn’t have to give my Twit­ter pass­word to Friend­Feed, as that site is just read­ing the RSS feed of my Twit­ter posts. Twitter’s Face­book app needs my twit­ter user­name and pass­word, however.

Almost all of these sites ask users to pro­vide the Twit­ter user­name. Any 3rd party site that wants to post a mes­sage or tweet on the user’s behalf also asks for the user’s Twit­ter pass­word, as that cre­den­tial is required to post these tweets. There are plenty of exam­ples, including

• Tweetake.com, which lets users down­load and backup their mes­sages and con­tact list.
• Twitpics.com, which lets users post, tag and com­ment on pictures.
• TwitTangle.com, which lets users rate and tag their Twit­ter contacts
• PeopleBrowsr.com, which lets users view their Twit­ter mes­sages and friends’ profiles.
• TwitOrFit.com, which lets users vote on Twit­ter pro­file pictures.

I’m not sur­prised that this kind of attack has been so suc­cess­ful. Twit­ter users have been con­di­tioned to pro­vide to their twit­ter cre­den­tials to sites 3rd party sites. As Michael Arring­ton of TechCrunch pointed out today in his arti­cle called Twit­ter Gets Hacked, Badly, Twit­ter needs to do more work on its APIs and authen­ti­ca­tion systems.

Twit­ter is a tempt­ing tar­get, as users can only receive DMs from other Twit­ter users who have included them as a con­tact. Users tend to assume that a DM comes from a trusted user.

The sim­plest solu­tion is for Twit­ter to send an email mes­sage to a user when­ever their account infor­ma­tion has been changed. The email mes­sage should include a link to review and con­firm the changes. This would give the user an oppor­tu­nity to stop an unau­tho­rized email address change.

Twit­ter might con­sider using a mul­ti­fac­tor authen­ti­ca­tion that requires the user to enter a PIN num­ber received sent by Twit­ter through a text or email mes­sage. This kind of sys­tem has been used by OpenID providers like Jan­Rain, as I men­tioned on 13 May 2008 in my billso.com arti­cle called Jan­Rain launches Cal­lVer­i­fID mul­ti­fac­tor phone ser­vice for OpenID.

Twit­ter could also con­sider a secu­rity key like finan­cial insti­tu­tions use, to give Twit­ter users an addi­tional pass­word. See my billso.com arti­cle from 2 June 2008 called Paypal’s secu­rity key still needs work for more details.

Of course, mul­ti­fac­tor authen­ti­ca­tion could get expen­sive for Twit­ter. The com­pany is still pri­vately funded, and a mut­li­fac­tor sys­tem would require changes to Twitter’s API, as well as changes to any third-party site that inte­grates with Twitter.

Last month, Pete Cash­more of Mash­able sug­gested that Twit­ter add Face­book Con­nect as an authen­ti­ca­tion sys­tem. I added Face­book Con­nect as an authen­ti­ca­tion sys­tem for billso.com on Christ­mas Day 2008, by mov­ing my com­ment man­age­ment sys­tem to Dis­qus. billso.com still sup­ports OpenID as an authen­ti­ca­tion method, too. See the arti­cle called Twit­ter, We Are Pok­ing You To Fix Your Face­book App for more details.

There’s been lit­tle com­ment from Twitter’s founders on this issues, and only a few offi­cial blog posts that advise users to be cau­tious. Twit­ter also has a short mes­sage on its own web site remind­ing users to be care­ful. As Mar­shall Kirk­patrick of Read­WriteWeb points out in his arti­cle called Twit­ter secu­rity col­lapses, Twit­ter needs to solve these secu­rity prob­lems quickly.

Related arti­cles and pages on billso.com

• OpenID
• Twit­ter
• 7 Jan­u­ary 2008: How Twit­ter got hacked
• 5 Jan­u­ary 2009: Phish­ers hit Twitter
• 31 Octo­ber 2008: A few new features
• 18 Octo­ber 2008: OpenID, ID Selec­tor and WordPress
• 15 Octo­ber 2008: Mobile social media sites
• 18 July 2008: RIP CAPTCHA
• 9 July 2008: Is email in dan­ger from microblogging?
• 7 July 2008: The bat­tle against Twit­ter spam
• 2 June 2008: PayPal’s secu­rity key still needs work
• 13 May 2008: Jan­Rain launches Cal­lVer­i­fID mul­ti­fac­tor phone ser­vice for OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updat­ing WP-OpenID to sup­port ID Selector

Tagged as: authentication, blogging, crime, hacking, multifactor, openid, phishing, security, social-media, twitter