14 DAY TRIAL // A popular Twitter service called Twitter Grader was hacked yesterday causing thousands of unauthorized tweets to be posted from the accounts of its users. The third-party application's developer gets congratulated for how he treated the incident.
Twitter Grader, which is normally available from grader.com along with other free grading applications, allows Twitter users to see how influential they are on the micro-blogging platform. The service is developed by an Internet marketing company called HubSpot.
The company's founder and CTO, Dharmesh Shah, was completely taken by surprise yesterday when Twitter Grader users, including himself, started posting a strange message on their feeds. The unauthorized tweets contained a link to a 2006 video of Biz Stone promoting the micro-blogging platform.
Rik Ferguson, solutions architect at antivirus vendor Trend Micro, analyzed the message and concluded that, "The link that has been endlessly tweeted by grader users does not appear to host any malicious content." The researcher also launched a possible explanation for the attack. "The domain name of the destination site [seonix.org] however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack," he wrote.
Mr. Shah performed mea culpa on the company's blog, writing that, "It was my fault. I developed Twitter Grader — and I’m the one that developed this particular feature that ended up getting hacked. I should have known better. I was an idiot." Access to the entire grader.com domain has been temporarily suspended until the issue is addressed and all applications are moved to more secure servers.
The company also stresses that customers of its commercial services have not been affected, as these are hosted on a different infrastructure. Additionally, the usernames and passwords of Twitter users have not been compromised, because the Twitter Grader service used OAuth, a technology that doesn't require login credentials.
The responses to the official blog post about the attack are overwhelmingly favorable, commending the company for its openness and seriousness in handling the incident. "Ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot," Rik Ferguson wrote, while an executive officer with a different company noted that, "How you handled it […] should be a lesson (case study?) for others."
