Twitter Account Hijack Reveals Security Flaw
The Twitter 'fail whale' error message, created by Australian artist Yiying Lu.
CREDIT: Twitter/Yiying Lu
Twitter's defense against password crackers apparently needs some beefing up: a password cracker circumvented the site's CAPTCHA and timeout mechanisms simply by spoofing IP addresses.
The cracker used a basic program to repeatedly guess common passwords and broke into one user's account, changed his username and put his old handle up for auction on a username-trading site.
Daniel Dennis Jones, the victim of the attack, is a digital media guy with almost 800 followers. Jones said he got his desirable username, @blanket, when he signed up for the micro-blogging service early on. When he received an email saying his password had been reset, Jones became alarmed. Although he was still logged in on his phone, his tweet and follow counts had been reset. When he finally got back into his account, BuzzFeed reported, he discovered that his handle had been substituted with a rude obscenity and that @blanket was being controlled by someone else.
With a little bit of digging, Jones found that not only had his account been hacked, but his username was for sale on ForumKorner, a site popular among online gamers who buy and sell handles. "I cracked these this morning," a member named Korea said in a post he called "Selling Twitters @Captain and @Blanket." Korea said someone had offered them $100 for the @captain username on another site and linked to both of the compromised accounts to prove he controlled them. The proof was in the form of matching avatars on the Twitter and ForumKorner profiles.
An unauthorized tweet to @hah led Jones to the discovery that a lot of the cracker's associates had single-word usernames, which raised the possibility that this group had found a crucial flaw in Twitter's authentication system and was using it to steal desirable and short handles.
The design flaw is a simple one: instead of locking out an account after a number of failed login attempts, as Google does, Twitter locks out the IP address. This means all a user has to do to continue to attempt to log in is change computers – or, in this case, spoof an IP address.
Jones, who eventually had his account reinstated, chronicled his misadventure on Storify. He admitted that his password was short and not particularly strong -- which was part of the problem -- but an easy-to-work-around defense against brute force attacks is also a great cause for concern. Jones said his conversations with Twitter and acquaintances of Twitter employees have not been encouraging. He described Twitter's support team as "intentionally opaque."
Follow Ben on Twitter @benkwx.