{"id":320,"date":"2009-01-07T18:17:15","date_gmt":"2009-01-08T02:17:15","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=320"},"modified":"2009-01-07T18:17:15","modified_gmt":"2009-01-08T02:17:15","slug":"taking-the-tweet-out-of-twitter","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/07\/taking-the-tweet-out-of-twitter\/","title":{"rendered":"Taking the Tweet out of Twitter"},"content":{"rendered":"<p>According to a recent New York Times <a title=\"article\" href=\"http:\/\/bits.blogs.nytimes.com\/2009\/01\/05\/twitter-hit-by-hacker-phishers\" target=\"_blank\">article<\/a>, the popular &#8220;micro-blogging&#8221; site, Twitter, has been the victim of a series of recent hacking and phishing attacks. The article explains that 33 member accounts, most of them belonging to big-names like President-elect Obama and Brittany Spears, were hijacked by an attacker who gained access to Twitter&#8217;s support team tools. The attacker recovered email addresses and passwords associated with user accounts and posted obscene and inappropriate updates. Twitter users also became the victims of phishing by receiving emails with links to &#8220;Free iPhones&#8221;, which directed them to a spoofed Twitter login page.<\/p>\n<p>This site has been steadily gaining popularity, which the article states, may have been reason enough for an attacker to exploit the vulnerabilities in the support tools. Being a small but quickly-growing company Twitter also may not have had the funding or the time to put as much thought into the security of their tools as was necessary.<\/p>\n<p>As it did not state exactly where or what the vulnerability was in the article, it is hard to say what sort of security measures Twitter could have used to prevent such attacks. Stronger authorization requirements for the support tools and more secure user authentication practices could probably have been used, but the very fast response time to these attacks is an indicator that Twitter does have security measures in place to quickly detect an attack. Both the limited number of account that were hijacked and the almost immediate removal of the faulty tool reflect some positive light on an otherwise negative situation.<\/p>\n<p><!--more-->One of the major concerns people had when they discovered that their account passwords had been compromised was that this password was the same for many of their other personal accounts such as PayPal, email accounts, bank accounts, etc. This could obviously lead to a huge breach of personal privacy far worse than &#8220;twittering&#8221; inappropriate comments. Another ethical issue that arises in a situation like this is damaging the reputations of not only the site itself, but of individuals who may &#8220;say&#8221; something that reflects badly on their political position or general reputation. The attacker also could have used the hijacked accounts to start a major scare of some sort (a disaster, a terrorist attack, an assination, etc.) among Twitter&#8217;s growing user base, which could have had world-wide security implications.<\/p>\n<p>After these attacks, Twitter plans to use a third party authentication program so users can provide additional personal information to login via a third party, thus making it more difficult to hijack their account by obtaining only their password. Users should realize the potential dangers of these kind of attacks and take stronger measures to ensure the safety of their passwords and be more aware of suspicious links and spoofed sites.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>According to a recent New York Times article, the popular &#8220;micro-blogging&#8221; site, Twitter, has been the victim of a series of recent hacking and phishing attacks. The article explains that 33 member accounts, most of them belonging to big-names like &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/01\/07\/taking-the-tweet-out-of-twitter\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":73,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-320","post","type-post","status-publish","format-standard","hentry","category-current-events"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/73"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=320"}],"version-history":[{"count":5,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/320\/revisions"}],"predecessor-version":[{"id":325,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/320\/revisions\/325"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}