14 DAY TRIAL // It was not any particular vulnerability that a French hacker exploited in order to get his hands on Twitter confidential corporate documents. According to his own account, it was patience and determination combined with the inherent security weaknesses in today's Web 2.0 ecosystem.
TechCrunch, one of the first to break out the story about the Twitter compromise, interviewed the person responsible for it. Going by the online handle of "Hacker Croll," he explained how he used social engineering to obtain unauthorized access to a great amount of confidential data and services.
It all started with some time-consuming research. The hacker built a profile of Twitter as a company and its employees from information freely available on the Internet. As this profile grew bigger and bigger, the data on it actually made it easier to search and find even more detailed information about individuals, such as their personal e-mail addresses, work e-mail addresses, birthdays, pet names, and so on.
After mapping out all this info, Croll set out to find a weak spot. The breakthrough came in the form of an employee's personal Gmail account. While checking out the password reset feature on this person's e-mail, Google told him that password reset instructions would be sent to a secondary e-mail, and, attempting to help the user recall what his secondary e-mail was, a visual cue was displayed: ******@h******.com.
With that clue, it would be trivial for most people to realize that the secondary address was @hotmail.com and it was even more easier for Hacker Croll to determine the account name, operating under the assumption that people tended to use the same username over different services. The next thing he noticed was that the Hotmail account had been deleted for inactivity, a "feature" that Hotmail is known for.
This allowed him to re-register the account, reset the Gmail password and obtain the unique password reset confirmation link sent to the secondary e-mail address, now under his control. Once he got into the Gmail account, Hacker Croll went even further and searched it for registration confirmation messages from other services.
This helped him determine the password that was most likely used by the Twitter employee on Gmail before the reset, again by assuming that people used the same password over multiple accounts. He then waited to see if he was right and, soon enough, he noticed activity on the Gmail account. This meant he now had access to the e-mail without its owner even suspecting that something was off.
He then realized that Twitter used Google's servers as MX for its corporate e-mails too, a feature in Google Apps. He tried the same password on the employee's business e-mail account and it worked. The nature of the information found here was a game changer.
By going through documents attached to older e-mail messages in the business account, Croll was able to extend his map of Twitter with information about other company personnel. Leveraging on this new data, he soon ended up having access to the Gmail, Google Apps, AT&T, Amazon, PayPal, iTunes, MobileMe and GoDaddy accounts of multiple Twitter employees, including its founders Evan Williams and Biz Stone.
According to TechCrunch, there is a weakness in iTunes, which allowed the hacker to see credit card details associated with the compromised accounts, in plain text. Croll is said to have also had access to the GoDaddy account used to manage Twitter's domain names.
Hacker Croll explained that he held nothing against Twitter in particular and that he carried out this attack in order to raise awareness about the risks of overlooking basic security practices. "I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. [...] I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge," he wrote (translated from French).