Twitter Authentication Flaw Allows Hackers to Hijack User Accounts

Crooks have found a way to bypass the login attempt restrictions

By on October 2nd, 2012 11:51 GMT

If we had known that Twitter would become so popular, we would all have rushed to register the coolest handles in its early days. Cybercriminals who didn’t do so, but want to have a fancy username anyway, can apparently steal one by leveraging a flaw in the social network’s authentication system.

One of the victims of such a forceful takeover is Daniel Dennis Jones, who saw his @blanket handle being hijacked by another individual.

Initially, he noticed that he received an email notification, telling him that his Twitter password was reset. When trying to log in to his account, he found that the password he had set no longer worked.

After eventually logging back to his account, he found that all the followers and all the tweets were still there, but instead of @blanket , his username had been changed to something we would have to seriously censor.

According to BuzzFeed, Jones later learned that his name was put up for sale on a website where usernames (particularly ones for games) were commercialized.

He found that some of these rare handles were sold for around $100, while others were simply given away by the attackers to their friends.

In the end, Twitter gave Jones back his @blanket name, but in the meantime, other users came forward reporting to have experienced the same issues.

So how could this have happened?

Apparently, the hacker has utilized a piece of software that repeatedly tests common passwords against the account. This type of brute force attack is possible because Twitter only limits the login attempts if they come from the same IP address.

Most websites have implemented a system that prevents potential crooks from hijacking accounts by trying out random passwords. However, since Twitter only prevents multiple login attempts from the same computer, attackers can try out as many passwords as they want as long as they change their IP address.

Jones admitted that his password was not strong, which is most likely why the attackers have managed to compromise his account.