A TREND MICRO BLOG

May 1

Twitter Admin + Obama + Britney Hacked

Rik Ferguson

Filed under: Hacking, Site Compromise, Web 2.0 | RSS 2.0 | TB | Tags: , , , , , | 7 Comments

A member of an underground forum, going by the name of Hacker Croll made a post on the 29th April claiming that he had compromised the account of a Twitter employee with administrative rights. The intruder did not use any malware or exploit to effect this attack, in his own words:

 ”I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection <…> one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.”

croll

 

 

He supported the claim with several screen shots such as the one below, showing that he had accessed the accounts of celebrity Twitterers such as Barack Obama, Lily Allen, Ashton Kutcher and Britney Spears. The interface gives the administrator (or the hacker) access to a large amount of personal information stored in the Twitter accounts database, for example Lily Allen’s mobile phone number…

twitter102

 

So question number one for Twitter has to be, why is this kind of information available to account administrators? Surely it’s enough to be able to reset this type of data, without being able to view it? Shouldn’t it be stored in a secure format so that curious employees and malicious intruders both cannot get access to it?

 

But the real concern, over and above that for me, is the function visible in the next shot where the hacker was inspecting Barack Obama’s account.

twitter11

 

 

What reason is there for a Twitter employee having a function labelled “Become“, and how happy will Twitter users be knowing that at any time someone can assume their identity at the click of a button?

 

Despite Twitter’s assurances that “no account information was altered or removed in any way“, I am fairly certain that several high profile users will be having to modify their email addresses and mobile phone numbers as a result.


Bookmark
| More

This entry was posted on Friday, 1. May 2009 and is filed under "Hacking, Site Compromise, Web 2.0". You can follow any responses to this entry with RSS 2.0. You can leave a response here, or send a trackback from your own site.

7 Comments

  1. Friday, 1. May 2009 um 11:05 am

    Isn’t that Britney tweet about the size and sharpness of her la-di-dah, from the hack that occurred in January?

    http://www.sophos.com/blogs/gc/g/2009/01/05/britney-spears-twitter-account-phished/

    and

    http://www.sophos.com/blogs/gc/g/2009/01/05/twitter-britney-barack-rick-fox-news-phished-hacked/

    for details.

    Cheers
    Graham

  2. Friday, 1. May 2009 um 11:14 am

    Yes sir it is, post duly updated thank you. I had mistakenly pulled it from the thread on the board discussing the newest compromise. I try to put all things Britney out of my mind ASAP.

  3. Friday, 1. May 2009 um 2:20 pm

    The “Become” function is implemented in many applications and is being used to track down user problems which cannot be tracked down using other methods. As I worked 3 years on user support with a series of such systems, this function is absoluteley necesarry in some situations. Password in not known by the admin and confidentiality is kept by strict regulation of how and when this function is used.

  4. Friday, 1. May 2009 um 7:46 pm

    Thanks for that Zeno, it’s not a function I came across in my years of tech support :) I can see its usefulness in tracking down anomalous behaviour within a single user account definitely, but would have to question the decision to leave it implemented on an internet facing system where you literally are what you post.

  5. Tuesday, 5. May 2009 um 2:25 pm

    Rik,

    Regardless, the people who run twitter have full access to the database, so the ‘become’ is just a simpler way to achieve complicated steps via a browser interface. Without the link, and the function to support it, it would just require an alternative method via the console and manual commands. That companies decide to give this to all their staff members, vs just their trusted senior staff, is what the concern should be about.

  6. Thursday, 7. May 2009 um 8:38 am

    Hi Floris,

    Thanks for commenting. The point I was making in the post was this. I realise that the site owners will have full db access but certain data itmes should not be available to read in the clear. In the same way that reputable sites will not be able to read passwords in clear text I whould like to see personal information like telephone numbers on social networking sites similarly protected. Should there be a proiblem with functionality associated witht his sensitie data, then the values can be reset and re-entered, but I can’t hink of a reason why they need to be read by the site or db admins.

    The “become” function bothers me really because of an asusmption I am making. I am assuming that the “become” function allows the admin the full capabilities of the account holder. I would argue that in sites that rely on trust and personal interaction, that the functionality on offer to Admins through means like this should be restricted so that they are unable to, for example, post publicly as the person they have “become”.

  7. Monday, 25. May 2009 um 5:24 am

    Please wake up dear folks.
    There’s no real identity in the cloud yet.
    Only trust information found on the internet as long as you double check it.

Leave a comment

XHTML allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection

© Copyright 2010 Trend Micro Inc. All rights reserved.
Legal Notice. Disclaimer