A member of an underground forum, going by the name of Hacker Croll made a post on the 29th April claiming that he had compromised the account of a Twitter employee with administrative rights. The intruder did not use any malware or exploit to effect this attack, in his own words:
“I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection <…> one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.”
He supported the claim with several screen shots such as the one below, showing that he had accessed the accounts of celebrity Twitterers such as Barack Obama, Lily Allen, Ashton Kutcher and Britney Spears. The interface gives the administrator (or the hacker) access to a large amount of personal information stored in the Twitter accounts database, for example Lily Allen’s mobile phone number…
So question number one for Twitter has to be, why is this kind of information available to account administrators? Surely it’s enough to be able to reset this type of data, without being able to view it? Shouldn’t it be stored in a secure format so that curious employees and malicious intruders both cannot get access to it?
But the real concern, over and above that for me, is the function visible in the next shot where the hacker was inspecting Barack Obama’s account.
What reason is there for a Twitter employee having a function labelled “Become“, and how happy will Twitter users be knowing that at any time someone can assume their identity at the click of a button?
Despite Twitter’s assurances that “no account information was altered or removed in any way“, I am fairly certain that several high profile users will be having to modify their email addresses and mobile phone numbers as a result.