Updated: Twitter Security Collapses; Obama, Fox and Britney Accounts Hacked
Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone. Obama's account, unused since election day, sent out an affiliate link to a survey with a gas card prize, Fox News said that "Bill O'Reily is gay" (not that there's anything wrong with that) and Britney Spears' made a lewd post about her anatomy. Rick Sanchez, the Twitter loving CNN anchor, says he's "high on crack and might not be coming into work today."
The Fox tweet was deleted an hour after it was posted, so the password may not have been changed. The Facebook account on Twitter just posted a link to porn, so it appears that the situation remains unresolved. Update: Twitter says it's been resolved but that users should change their passwords! The Twitter blog has just posted an explanation of the breach. Screen shots of the hacked accounts below below.
This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web.
Some suspected that the hacks today were associated with the weekend's phishing attacks, but the Fox News account isn't following anyone - so no one could have direct messaged it. That's how accounts were taken over via phishing. Something else is afoot.
If the hacker is associated with the affiliate link sent out over Obama's account, it may not be hard to discover who did this. Time will tell.
Twitter co-founders Evan Williams, Biz Stone and lead engineer Alex Payne have posted no messages since the attacks emerged. This can't be good for Twitter. What major brand will be excited to sign up for the service now? Who would pay, even, to be put at such risk?
Share
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Nice job. I agree, it's worrisome.
A shooting star(Twitter at the moment) is prone to getting burnt fast as well! In it's zeal to make things utterly simplistic it seems they have gone a bit easy on security aspect and if they wish to continue with the exponential growth that it is seeing now they will have to up the ante on security front soon...
I saw the Britney Tweet earlier today and thought I might of had the fake Brit by accident. Crazy to see as it went done. Hilarious for me and others to read though. I'm sure there is some trouble going on in her camp right now.
You note: "but the Fox News account isn't following anyone - so no one could have direct messaged it."
But the DMs weren't real. They were spoofed, and came via email, so it wouldn't necessarily follow the standard protocol that you have to have a mutual following relationship to DM.
What's with the weird open quote right underneath both names? Looks like somebody figured out an overflow attack, maybe via the API.
My guess is that it might not even be Twitter itself that has been hacked, but one of the many services that uses your Twitter password to authenticate. Twitter has absolutely terrible security around its API, and hundreds of these services popped up recently.
-Erica
Mat, the DM's I got were real.
Gosh! This phishing and hacking accounts is spooky and Twitter seems to be as cool as ever. I wish they take action and tighten-up security features.
Poor little tweety...
This might finally push twitter to use something like oAuth. I predict they will launch it by next week and it will be required by every third party app.
The person who hacked the Obama account used their personal affiliate marketing URL without masking it at all (using tinyurl or whatever), so it'd be super easy to see who it was - since their unique user ID is embedded in the url! dumbasses!
Luke,they masked it - I just have a greasemonkey script running that displays full URLs
Go obama!!! lol
You missed the FoxNews hack-attack--I have a screenshot posted here: http://twitpic.com/zx64
Fox managed to fix their Twitter within a few minutes.
Hilarious!
Are Britney's razor sharp teeth a turn-off or a turn-on? Help me out here, people.
I just hope nothing happens to ChuckObama's account.
Marshall seems right to me. They couldn't have DM'd Fox. And if the DM email is a spoof, how did the hacker know the email address used to open the Fox account? Something else seems to be going on here.
def should have had better security in place and now they are paying the price. just when the fail whale was fading away the hacker phish are threatening to really damage the brand.
I also find it a bit weird that in such a personal space like twitter everyone there is tight lipped not saying anything. that's poor social pr IMHO.
may I suggest: www.mcafeesecure.com
If @foxnews didn't leak their password by falling for a phishing attack, the next best guess is that they had a very poor password and the bad guys managed to guess it through brute force attack. It's a shame that twitter doesn't provide feedback on password quality or enforce minimum password complexity rules.
I'm curious to know whether there's an account lockout period after a certain number of failed authentication attempts, to thwart brute force password attacks.
I predicted yesterday that a well organized attack would target bigger names including Obama's and posted it on my blog. Looks like I was right. Had they really had any brains they could have done a lot more damage.
On the Rolling Stone website, this appears:
"I’m Britney’s Social Media Director- I run this twitter account. We did get hacked this morning. We apologize for any offense caused to Britney’s fans and Twitter followers….we never want to offend anyone. Luckily, everything is back under control and we appreciate your understanding.
~Lauren"
Sure if Lauren screwed up, she wouldn't want to say, but it's clear that she thinks the account was hacked.
BREAKING: Bill O'Reilly is gay!
I read an interesting tweet (before the blow up of all the *big* names on Twitter) that maybe it was someone in the Twitter camp -- how else can you explain the hack of @foxnews? Just a thought, and not mine. There is always a conspiracy theorist.
RT @biz about the events of this morning and this weekend: http://bit.ly/e3L0
Maybe Twitter is taking their time so Fox and CNN will write about them
Posted by: Jesse Stay
|
January 5, 2009 12:38 PM
Love the Seinfeld reference - Not that there's anything wrong with that.
That may be off topic, but I consider none the less important:
> Fox News said that "Bill O'Reily is gay" (not that there's anything wrong with that)
I do hate O'Reily's guts too, but that is just the wrong tone, Marshall. At the very least, it really doesn't show your superiority, if you're using the same style as the same guys you want to criticize.
Igor, somebody thought that was a Seinfeld reference. I'm not familiar. I just didn't want "gay" to be used as an insult without note. I'm not sure how else to do that without sounding like a real pedant. suggestions?
Posted by: Marshall Kirkpatrick
|
January 5, 2009 12:53 PM
That was a total Seinfeld reference, not that there's anything wrong with that.
Posted by: Clay Newton
|
January 5, 2009 12:57 PM
sorry, I haven't had a TV is 15 years, so it was a second hand reference if anything
Posted by: Marshall Kirkpatrick
|
January 5, 2009 12:58 PM
Sorry Igor, I don't understand what you mean by your comment.
Seinfeld might be a totally awesome reference in the US, but I can assure you, that it's not a good reference in Europe. And since RWW isn't being "transmitted" only into the US-Internet like Hulu, I'm guessing, that it won't change a thing even if it was a Seinfeld reference. ,)
Posted by: Igor Schwarzmann
|
January 5, 2009 1:06 PM
Does anyone even remember being phished? Surely you'd look at your statusbar when hovering on a link. Pfft!
@ Marshall Seinfeld has been off the air for 10 years, and was on for 9 prior to that, so 15 years w/out tv is specious. @Igor - saying that Europe doesn't get Seinfeld is rahter narrow - I have plenty of friends who get it. @all of you who aren't getting this - Richard himself didn't say this, he's quoting the hacked text. Y'all need to acquire a sense of humor AND some reading comprehension.
Posted by: TxVoodoo
|
January 5, 2009 1:17 PM
I thought this was a new marketing move, appealing to a new majority, since the right wing is all knuckle-dragging red necks.
Posted by: Phil Boiarski
|
January 5, 2009 1:51 PM
stupid, GMZ done a dictionary bruteforce on an admin account as twitter has no rate limit for logons.
for more info check trainreqlol.org
I hait it
While this is bad for Twitter, as the users of the internet, we should be aware of the ways to detect phishing after all this is nothing new.
@Marshall well, even with a tinyurl mask it'd still be easy to find out who posted the link, I would say (even with a mask, their user ID is still in the original URL which is easy to get to, as you've shown). If not for the every-day Twitter reader, than definitely for the affiliate network and the Feds!
The good thing is that the twitter community is so quick to update people, that most twitter users were warned by others very early on, especially about the phishing incident. It's too bad twitter has now joined so many other sites, and become victim to idiots that have nothing better to do with their time. It's kind of like social media terrorism, and most of us won't let them knock us off track.
I believe this thread touches exactly what the real issue is here. As we evolve towards a new frontier that is the digital landscape, we will no doubt have to tackle these very tough digital security issues. There are companies out there that are on the cutting edge of this. They have products that can protect us. It's just a matter of us accepting the concept. I think it's safe to do so if implemented ethicially. In fact, I think it's right, just and above all else...necessary.
Identity theft, asset tampering, you name it. I want it protected.