When I wrote my billso.com article about the attacks on Twitter, I made some reasonable guesses about how the attacks might have been staged by using some phishing techniques.
While there was a spate of Twitter phishing attacks over the past weekend, it now appears that most, if not all, of the hijacked celebrity Twitter accounts were not phishing victims. Twitter admitted in the Monday Morning Madness blog post that they were victims of a different kind of attack.
Wired’s Threat Level blog reported yesterday that the initial attack was actually a dictionary attack on a Twitter employee’s account. That initial attack was successful because:
- Twitter’s login system kept presenting a fresh login screen instead of cutting the user off after several incorrect passwords
- Crystal’s password was a common dictionary word: happiness. The attack would have failed if Crystal had chosen a reasonably strong password or passphrase, or included one or two symbols or numbers in the original password. See my billso.com article from 24 April 2008 called Change that password into a passphrase
- Crystal’s Twitter account also had access to Twitter’s corporate account management tools that let the hacker hijack any Twitter account they wished to use.
Wired’s article called Weak Password Brings ‘Happiness’ to Twitter Hacker has more details and a YouTube video that hacker GMZ offered to support his claims.
“You are the weakest link”
Damon Cortesi pointed out in his 6 January 2009 guest editorial called The inevitable rise (and fall?) of ‘twishing’, Twitter users seem more than willing to follow links sent through direct messages (DMs) from their Twitter contacts. On 5 January 2009, I pointed out a similar issue in this billso.com article called Phishers hit Twitter. It’s a well-known flaw in Twitter.
Twitter has some self-regulating features built in to the service, and it’s easy for users to stop following contacts. Twitter doesn’t have any sort of spam filtering, however.
Damon’s guest post appeared on Jennifer Leggio’s blog a week after Jennifer wrote that Twitter would get phished sometime soon. See her article called FriendFeed, Twitter address URL redirection risks; Facebook, LinkedIn, MySpace lag behind.
Jennifer also appeared on Jim Turner’s talk show yesterday, along with Chris Messina, to discuss Twitter’s bad weekend. See Social Media Security and the Twitter Phishing Trip to hear the audio recording and read the chat transcript.
At least one of the third parties that provide Twitter-related services have started posting or explaining their privacy policies this week. Mr. Tweet has a reasonable explanation called Addressing Privacy Concerns. Over the next few days, I expect a few more sites to post their own explanations.
Related articles and pages on billso.com
- OpenID
- 5 January 2009: Phishers hit Twitter
- 31 October 2008: A few new features
- 18 October 2008: OpenID, ID Selector and WordPress
- 15 October 2008: Mobile social media sites
- 18 July 2008: RIP CAPTCHA
- 9 July 2008: Is email in danger from microblogging?
- 7 July 2008: The battle against Twitter spam
- 2 June 2008: PayPal’s security key still needs work
- 13 May 2008: JanRain launches CallVerifID multifactor phone service for OpenID
- 10 May 2008: Why use OpenID?
- 24 April 2008: Change that password into a passphrase
- 30 April 2008: Updating WP-OpenID to support ID Selector
- 11 January 2007: How to create a secure password
