I won’t beat a dead horse…we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.
Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.
#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.
Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you.
On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.
#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.
Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.
How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.
Here are a few good links with things that Twitter should consider when re-evaluating the current model:
Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)
I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.
What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?