Twitter is one of the most popular social marketing and micro-blogging services on the Net, but despite its ever-growing popularity, significant security features still aren’t up to par. This past January, 33 high profile Twitter accounts were hacked. Targets included CNN correspondent Rick Sanchez, Barack Obama, Britney Spears, Digg founder Kevin Rose, CBS News and Fox News among other news outlets and celebrities. (If only Twitter could provide the online security that Windows Sharepoint server does for its clients.)
On January 5, a message was posted on the Digital Gangster hacker forum offering access to any Twitter account upon request. Digital Gangster’s site administrator deleted the post but some members had already gained access to high-profile accounts and were quick to jump on the opportunity to make lewd statements such as Britney’s tweet: “Hi Yall! Brit, Brit here, just wanted to update you all on the size of my vagina. Its about 4 feet wide with razor sharp teeth.” Another hacker used the Obama account to urge supporters to fill out a survey for the then president-elect for the chance to win $500 worth of gasoline.
The mastermind behind it all? An 18-year-old East Coast student, by the handle GMZ.
The night before the hack, GMZ had randomly decided to target “Crystal’s” Twitter account, an active follower on a large number of Twitter feeds. In order to gain access to her password, he launched a dictionary attack against her account, which automatically tests all English words until it lands on the right one. Now, most cautious and experienced Internet users know the importance of a strong password. Microsoft even offers a password checker link so you can test the strength of your password. According to Microsoft, “a strong password should appear to be a random string of characters to an attacker. It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.”
Seemingly, Crystal didn’t know about this. When GMZ went to check the results the next morning, he had successfully gained access to Crystal’s account. Her password: “happiness”. He soon realized Crystal was a Twitter staffer, and had just struck gold with the ability to access any other Twitter account just by resetting account holders’ passwords through the administrative panel. Of course, the fact that Twitter allows unlimited password retries without locking the account makes it incredibly susceptible to hacks.
In a Wired interview with GMZ, he claimed that he did not access any of the high-profile accounts himself, nor did he send out any of the fake tweets. He hadn’t even used a proxy to hide his IP address, never thinking the hoax would draw as much attention as it did.
Subsequent to the hack, Twitter co-founder Biz Stone stated the company was doing “a full security review on all access points to Twitter […] strengthening the security surrounding sign-in […] also further restricting access to the support tools for added security.”
However, again in March of 2009, one of the New York Times Twitter accounts was also hacked. The Moment, which includes fashion news from their fashion blog, had a suspiciously spammy tweet which had infiltrated the account. The NY Times responded within a few hours (see below).
Though the outcome could have been far worse, such a widely-used service provider like Twitter needs more secure practices in order to prevent hackers, spammers and scammers from cracking their users’ accounts so easily. However, even though the system has certainly had its share of problems, at least Twitter has been transparent about these issues and dealt with them as promptly as possible. Just like in the beginning days of email, users will simply have to become more aware of what can be potentially malicious or harmful to their accounts.
How to Be Safe On Twitter
- Have a strong password eight characters or longer, combination of uppercase and lowercase letters, numbers, and symbols
- Change your password frequently
- Don’t use the same password on more than one account
- Remember that Twitter is public, so unless you set your account to private, anyone can view your updates and anyone can see who you are following
- When you leave Twitter, always sign out of your account and log off of the computer
- Take precautions when using Twitter’s third-party tools because they will have full access to your Twitter account once the login credentials are provided
- Remember that you can possibly be exposed to phishing scams or viruses through Twitter’s TinyURLs.
t#AnkYo l_l
T1^^e
2
g0
c#@l\lgE
A11
^^y
P@sSVVOrD5
I’m not sure whether to be proud or ashamed I was able to read the previous comment without much effort.