French hacker gains access to Twitter's admin panel

French hacker gains access to Twitter's admin panel

Summary: UPDATE2: Twitter confirms the unauthorized access.UPDATE: The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter's employees -- similar attack took place in January this year.

SHARE:

UPDATE2: Twitter confirms the unauthorized access.

UPDATE: The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter's employees -- similar attack took place in January this year. Here's a retrospective of the events that took place.

Yesterday, a French hacker claimed to have gained access to Twitter's administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter, his claims seem pretty legitimate.

The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter's admin panel, and commented that "The images were taken from the Admin area that was secured with .htaccess." It's still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there's a high chance that he was able to download anything he wanted to.

The attack comes two weeks after multiple variants of Mickeyy's XSS worm hit the continuously growing micro-blogging service.

UPDATE: The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th - "Wow - my Yahoo mail account was just hacked."; "If anyone with Yahoo! Security is out there, hit me up with an reply".

Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum - "one of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password." and that he "used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection".

Similar password reset attack contributed to the successful hacking of Sarah Palin's personal email account in September last year.

Topics: Social Enterprise, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • High value targets

    People security is no joke.. when you build a service.. build it based on security or atleast with security in mind. Its open source.. ask some security experts to comment... but make sure it included.

    It may not be 100%... but htaccess.. come on.
    Been_Done_Before
  • RE: French hacker gains access to Twitter's admin panel

    I'm not a US President, CEO or celebrity but this is exactly why I DO NOT USE these social sites.

    I DO NOT believe is putting my families personal life on the web for anyone and everyone to see!!!

    If someone wants to find me, let them work at it a bit!!
    jasonemmg
  • RE: French hacker gains access to Twitter's admin panel

    I agree. This is also why I would not use SNS, Even though you are not a celeb, VP, CEO ect if someone wants your account on these sites they can access it very easily without any effort at all today. I have ran my first middle and last name on several search engines and well needless to say its not a common name at all I am not located. Only in NCIC like everyone else is.
    Tracer76
  • RE: French hacker gains access to Twitter's admin panel

    HAHA Great, see Tweet that nubs! Good to see that these so called "Social Networking" sites are NOT so safe afterall, just like when Twitter asks you if you want to input your gmail or whatever e-mail account and password and check to see if a contact of yours uses twitter... They say it'll go securely, well after looking for the HTTPS for this option, it's NOT encrypted when you type in your e-mail username and password on twitter's contact import option...

    Check for yourself in the headers!

    Anyhow, kudos to the French Hacker to show how "secure" twitter really is, MySpace has been breached more than twitter though, and that's a fact. :) Kids and social networking, when will you learn? It's NEVER safe on the net.
    wtfnix
    • Ummm

      You just replied to a blog, no?
      weemooseus9
  • RE: French hacker gains access to Twitter's admin panel

    Ok, so the weakness is the user...
    weemooseus9
  • This is why we need secure web fingerprint ID

    This kind of story drives me nuts!

    When are we going to realize that any authentication scheme (or for that matter, the way we obtain credit) based on "what you know" vs. "what you have," (better) or "who you are" (best), will increasingly be subject to fraud and imposter access?

    Meanwhile, every major manufacturer of laptops already adds a fingerprint scanner to some or all of their product lines at a cost of just [b]$3 per laptop[/b]. HP plans to ship [b]8 million consumer laptops next year with a fingerprint scanner[/b], for example, and will join IBM and Lenovo in featuring it in all their business laptops.

    These soon-to-be ubiquitous scanners, combined with BIO-key's WEB-key strong authentication platform, will let anyone securely authenticate or identify themselves over the internet to any site using a simple swipe of their finger over that scanner. It's actually easier than using the username and password approach. If someone has a mix of different scanners on their laptops, or they replace a laptop, the BIO-key software works on them all interchangeably - you're never stuck.

    Before someone chimes in with the oft-raised concern that "if someone steals my fingerprint, they can use it to gain access to these systems or steal my identity," I'll point out that [b] a biometric authentication scheme is based on the fundamental assumption that the thing being measured ([u]you[/u]) is public - the biometric principle just doesn't work if you've got to keep the person or the artifacts of their biometric measurements (e.g. fingerprints, face images, eye images) private[/b]. Looking deeper, the flawed thinking behind this fear is that the [i]fingerprint[/i] is not the credential - the [i]finger[/i] is. Having a fingerprint is useless data if the system is geared to only accept live fingers attached to live people. WEB-key and any banking-tested systems like it are architected to ensure that a [b]real finger[/b] is on a [b]real scanner[/b] right now; they make it impossible for someone possessing even a perfect fingerprint image from injecting it into the authentication pipeline at any point.

    McKesson, Allscripts, Union Pacific, Beth Israel Deaconess, and AT&T use WEB-key for their biometric platform for its security in particular because it assumes that the browser has been hacked, the USB connection has been compromised, the internet connection is being intercepted and sniffed - even the app server is compromised - yet there is still no way for the malicious entity controling those components to mimic a real person.

    Right now, the banks and other online providers are weighing how to use biometrics to let you protect access to all your accounts, using low-cost scanners that are available in any new laptop. It's up to the public to insist that they are tired of the burden of online account protection being placed on them, through convoluted mechanisms to prove who they are.

    Likewise, we have to call to account the credit bureaus' CreditWatch programs. They are making so much money selling you a glorified burglar alarm monitoring service to watch your credit account for activity (akin to saying "Your horses have left the barn - go after them!") vs. making it impossible for someone besides you to avail themselves of your reputation and credit record. Allowing anyone to voluntarily bind two web-verifiable fingerprints to their credit record would do that, with a minimum of overhead for any credit grantor - they would only need a web connection and a fingerprint scanner - including the ones in their laptops.

    Unisys surveyed 12,000 consumers in October 2008, and reported that 72% prefer using fingerprint ID to prove identity to banks and government agencies - second in acceptance to passwords and PINs, at 73%. That acceptance rockets to 80% for people who make over $50K per year.

    Makes too much sense to ever be adopted, I guess.
    SecurityThroughObscurity
  • RE: French hacker gains access to Twitter's admin panel

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut