French hacker gains access to Twitter's admin panel
Summary: UPDATE2: Twitter confirms the unauthorized access.UPDATE: The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter's employees -- similar attack took place in January this year.
UPDATE2: Twitter confirms the unauthorized access.
UPDATE: The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter's employees -- similar attack took place in January this year. Here's a retrospective of the events that took place.
Yesterday, a French hacker claimed to have gained access to Twitter's administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter, his claims seem pretty legitimate.
The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter's admin panel, and commented that "The images were taken from the Admin area that was secured with .htaccess." It's still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there's a high chance that he was able to download anything he wanted to.
The attack comes two weeks after multiple variants of Mickeyy's XSS worm hit the continuously growing micro-blogging service.
UPDATE: The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th - "Wow - my Yahoo mail account was just hacked."; "If anyone with Yahoo! Security is out there, hit me up with an reply".
Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum - "one of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password." and that he "used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection".
Similar password reset attack contributed to the successful hacking of Sarah Palin's personal email account in September last year.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
High value targets
It may not be 100%... but htaccess.. come on.
RE: French hacker gains access to Twitter's admin panel
I DO NOT believe is putting my families personal life on the web for anyone and everyone to see!!!
If someone wants to find me, let them work at it a bit!!
RE: French hacker gains access to Twitter's admin panel
RE: French hacker gains access to Twitter's admin panel
Check for yourself in the headers!
Anyhow, kudos to the French Hacker to show how "secure" twitter really is, MySpace has been breached more than twitter though, and that's a fact. :) Kids and social networking, when will you learn? It's NEVER safe on the net.
Ummm
RE: French hacker gains access to Twitter's admin panel
This is why we need secure web fingerprint ID
When are we going to realize that any authentication scheme (or for that matter, the way we obtain credit) based on "what you know" vs. "what you have," (better) or "who you are" (best), will increasingly be subject to fraud and imposter access?
Meanwhile, every major manufacturer of laptops already adds a fingerprint scanner to some or all of their product lines at a cost of just [b]$3 per laptop[/b]. HP plans to ship [b]8 million consumer laptops next year with a fingerprint scanner[/b], for example, and will join IBM and Lenovo in featuring it in all their business laptops.
These soon-to-be ubiquitous scanners, combined with BIO-key's WEB-key strong authentication platform, will let anyone securely authenticate or identify themselves over the internet to any site using a simple swipe of their finger over that scanner. It's actually easier than using the username and password approach. If someone has a mix of different scanners on their laptops, or they replace a laptop, the BIO-key software works on them all interchangeably - you're never stuck.
Before someone chimes in with the oft-raised concern that "if someone steals my fingerprint, they can use it to gain access to these systems or steal my identity," I'll point out that [b] a biometric authentication scheme is based on the fundamental assumption that the thing being measured ([u]you[/u]) is public - the biometric principle just doesn't work if you've got to keep the person or the artifacts of their biometric measurements (e.g. fingerprints, face images, eye images) private[/b]. Looking deeper, the flawed thinking behind this fear is that the [i]fingerprint[/i] is not the credential - the [i]finger[/i] is. Having a fingerprint is useless data if the system is geared to only accept live fingers attached to live people. WEB-key and any banking-tested systems like it are architected to ensure that a [b]real finger[/b] is on a [b]real scanner[/b] right now; they make it impossible for someone possessing even a perfect fingerprint image from injecting it into the authentication pipeline at any point.
McKesson, Allscripts, Union Pacific, Beth Israel Deaconess, and AT&T use WEB-key for their biometric platform for its security in particular because it assumes that the browser has been hacked, the USB connection has been compromised, the internet connection is being intercepted and sniffed - even the app server is compromised - yet there is still no way for the malicious entity controling those components to mimic a real person.
Right now, the banks and other online providers are weighing how to use biometrics to let you protect access to all your accounts, using low-cost scanners that are available in any new laptop. It's up to the public to insist that they are tired of the burden of online account protection being placed on them, through convoluted mechanisms to prove who they are.
Likewise, we have to call to account the credit bureaus' CreditWatch programs. They are making so much money selling you a glorified burglar alarm monitoring service to watch your credit account for activity (akin to saying "Your horses have left the barn - go after them!") vs. making it impossible for someone besides you to avail themselves of your reputation and credit record. Allowing anyone to voluntarily bind two web-verifiable fingerprints to their credit record would do that, with a minimum of overhead for any credit grantor - they would only need a web connection and a fingerprint scanner - including the ones in their laptops.
Unisys surveyed 12,000 consumers in October 2008, and reported that 72% prefer using fingerprint ID to prove identity to banks and government agencies - second in acceptance to passwords and PINs, at 73%. That acceptance rockets to 80% for people who make over $50K per year.
Makes too much sense to ever be adopted, I guess.
RE: French hacker gains access to Twitter's admin panel
<a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>