Posts tagged: Twitter

Feb 02 2013

Twitter Hacked – 250,000 Accounts Compromised

Twitter HackedIn a blog post last Friday, Twitter’s Director of Information Security Bob Lord, said the company had discovered a major attack and shut it down almost immediately, but the attackers may have had access to user names, email addresses, session tokens and passwords for approximately 250,000 users.

Lord said that Twitter detected unusual access patterns that led to it identifying unauthorised access attempts to Twitter user data.

“We discovered one live attack and were able to shut it down in process moments later. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.

Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least ten (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites.

Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords. We also echo the advisory from the US Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers”.

The attack follows hacks into a number of major media outlets, including The Washington Post, The New York Times, and The Wall Street Journal. Unnamed sources quoted by the newspapers say they suspect Chinese hackers, possibly associated with the Chinese government, to be involved.

Twitter have not mention that how hackers were able to infiltrate Twitter’s systems, but Twitter’s blog post alluded that hackers had broken in through a zero-day vulnerability in Oracle’s Java software.

Jan 26 2012

FBI will Monitor Social Media using Crawl Application

FBI Monitor FacebookThe Federal Bureau of Investigation is looking for a better way to spy on Facebook and Twitter users.

The Bureau is asking companies to build software that can effectively scan social media online for significant words, phrases and behavior so that agents can respond.

A paper posted on the FBI website asks for companies to build programs that will map sentiment and wrongdoing.

“The application must be infinitely flexible and have the ability to adapt quickly to changing threats to maintain the strategic and tactical advantage,” the Request for Information said, “The purpose of this effort is to meet the outlined objectives…for the enhancement [of] FBI SOIC’s overall situation awareness and improved strategic decision making.”The tool would be used in “reconnaisance and surveillance missions, National Special Security Events (NSS) planning, NSSE operations, SOIC operations, counter intelligence, terrorism, and more.

Although the police, including in Britain, already use Facebook routinely to ascertain the whereabouts of criminals, automatically filtering out irrelevant information remains challenging. The new FBI application will be able to automatically highlight the most relevant information.

The FBI is seeking responses by 10 February.

Sep 05 2009

How I cross-site scripted Twitter in 15 minutes

How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: “I wonder if there are any web applications which have Unicode handling problems that might be security issues?”

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook

Aug 08 2009

Twitter, Facebook attack targeted one user

A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google’s Blogger and YouTube was targeted in a denial-of-service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name “Cyxymu,” (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Kelly said. “We’re actively investigating the source of the attacks, and we hope to be able to find out the individuals involved in the back end and to take action against them, if we can.”

witter was down for several hours beginning early Thursday morning, and it suffered periodic slowness and time-outs throughout the day.

Cyxymu’s LiveJournal page wasn’t accessible, but a cached version showed that it was updated on Thursday with a message about the denial-of-service, or DoS, attacks on his accounts on the United States-based sites. “Now it’s obvious it’s a special attack against me and Georgians,” said the message, in Russian.

The site also apologized for a spam e-mail attack in which the sender was spoofed and made to look like the e-mails were sent by him. Screenshots are shown. It’s unclear whether or how the spam attack is related to the DoS attacks.

Facebook and Google were able to minimize any impact to their sites, including Blogger, YouTube, and Google Sites, a free Web site service. Facebook even managed to keep the Cyxymu account accessible to Web surfers from that region, Kelly said, though it was inaccessible to people in other geographic areas, including San Francisco.

Source: CNET News

May 02 2009

Twitter Hacked Again …!

Someone has been able to access Twitter’s administration area, and they’ve got a bunch of screenshots to prove it.

The URL which leads to Twitter’s admin page is simple enough (and open to everyone): “https://admin.twitter.com/admin/”; of course, without a password you cannot get in, and the source does not disclose the nature of the hack; perhaps someone was able to brute force their way in, or they somehow obtained the username and password from one of Twitter’s real admins.

In any case, the screen shots are quite interesting if you want to find out about the inner workings of Twitter; they could be fake, but they’re quite elaborate and there’s lots of them, so the chances that someone photoshopped them are slim. Check out some of them below -

Twitter Hack
Twitter Hacked

There are several over at the source; one even shows the details about Barack Obama’s Twitter account.

“This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access.” – Twitter

Twitter’s Full Statement: Unauthorized Access: An Update on Security