Twitter Admin + Obama + Britney Hacked

A member of an underground forum, going by the name of Hacker Croll made a post on the 29th April claiming that he had compromised the account of a Twitter employee with administrative rights. The intruder did not use any malware or exploit to effect this attack, in his own words:

 “I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection <…> one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.”

croll

 

 

He supported the claim with several screen shots such as the one below, showing that he had accessed the accounts of celebrity Twitterers such as Barack Obama, Lily Allen, Ashton Kutcher and Britney Spears. The interface gives the administrator (or the hacker) access to a large amount of personal information stored in the Twitter accounts database, for example Lily Allen’s mobile phone number…

twitter102

 

So question number one for Twitter has to be, why is this kind of information available to account administrators? Surely it’s enough to be able to reset this type of data, without being able to view it? Shouldn’t it be stored in a secure format so that curious employees and malicious intruders both cannot get access to it?

 

But the real concern, over and above that for me, is the function visible in the next shot where the hacker was inspecting Barack Obama’s account.

twitter11

 

 

What reason is there for a Twitter employee having a function labelled “Become“, and how happy will Twitter users be knowing that at any time someone can assume their identity at the click of a button?

 

Despite Twitter’s assurances that “no account information was altered or removed in any way“, I am fairly certain that several high profile users will be having to modify their email addresses and mobile phone numbers as a result.

7 thoughts on “Twitter Admin + Obama + Britney Hacked

  1. Alex

    Please wake up dear folks.
    There’s no real identity in the cloud yet.
    Only trust information found on the internet as long as you double check it.

    Reply
  2. Floris Fiedeldij Dop

    Rik,

    Regardless, the people who run twitter have full access to the database, so the ‘become’ is just a simpler way to achieve complicated steps via a browser interface. Without the link, and the function to support it, it would just require an alternative method via the console and manual commands. That companies decide to give this to all their staff members, vs just their trusted senior staff, is what the concern should be about.

    Reply
    1. Rik Ferguson Post author

      Hi Floris,

      Thanks for commenting. The point I was making in the post was this. I realise that the site owners will have full db access but certain data itmes should not be available to read in the clear. In the same way that reputable sites will not be able to read passwords in clear text I whould like to see personal information like telephone numbers on social networking sites similarly protected. Should there be a proiblem with functionality associated witht his sensitie data, then the values can be reset and re-entered, but I can’t hink of a reason why they need to be read by the site or db admins.

      The “become” function bothers me really because of an asusmption I am making. I am assuming that the “become” function allows the admin the full capabilities of the account holder. I would argue that in sites that rely on trust and personal interaction, that the functionality on offer to Admins through means like this should be restricted so that they are unable to, for example, post publicly as the person they have “become”.

      Reply
  3. Zeno Popovici

    The “Become” function is implemented in many applications and is being used to track down user problems which cannot be tracked down using other methods. As I worked 3 years on user support with a series of such systems, this function is absoluteley necesarry in some situations. Password in not known by the admin and confidentiality is kept by strict regulation of how and when this function is used.

    Reply
    1. Rik Ferguson Post author

      Thanks for that Zeno, it’s not a function I came across in my years of tech support :) I can see its usefulness in tracking down anomalous behaviour within a single user account definitely, but would have to question the decision to leave it implemented on an internet facing system where you literally are what you post.

      Reply
    1. Rik Ferguson Post author

      Yes sir it is, post duly updated thank you. I had mistakenly pulled it from the thread on the board discussing the newest compromise. I try to put all things Britney out of my mind ASAP.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*