14 DAY TRIAL // The hacker who compromised 33 high profile Twitter accounts a few days ago has came forward with details of the attack. According to his own version of the story, the unauthorized access to the management tools was obtained by instrumenting a dictionary-based attack against the account of a tech support staffer.
According to Wired's Threat Level blog, the hacker is an 18-years old teenager going by the nickname of GMZ, and this is apparently not the first time when he targets social networking accounts belonging to celebrities. With only three years of hacking experience under his belt, the young cyber-criminal proudly claims responsibility for last year's hijacking of the YouTube account belonging to teen movie star Miley Cyrus, as well as the SayNow accounts of Selena Gomez and other famous people.
The YouTube incident made headlines after a video clip claiming that the young actress passed away in a car accident was posted from her compromised account. According to GMZ, he became aware of Twitter just recently, and after realizing that the micro-blogging service did not lock down accounts after a predefined number of failed login attempts, he decided to run a self-made brute force script against the account of a woman calling herself “Crystal.”
The hacker explains that he was not aware of her Twitter status or her administrative permissions. “I thought she was just a really popular member,” he says. Leaving his dictionary-attack script running over night proved to be enough in order to crack her weak “happiness” password. After realizing that he could easily change the password of any Twitter account by using the management tools that Cystal had access to, he offered free access to any Twitter profile to the members of a hacking forum.
In fact, GMZ insists that he did not personally access any account, other than Crystal's, and that all the fake messages were posted by other users to whom he distributed login credentials. In order to back up his claims, the hacker has also posted a low-quality video on YouTube, which shows him controlling the “Crystal” account and resetting passwords.
According to Threat Level, Twitter co-founder Biz Stone admitted that the security breach was caused by a dictionary attack, but he refused to confirm the identity of the compromised account. He pointed out that they were still investigating the incident, and that more solid authentication security measures would be enforced. Access to the support tools had also been restricted, he noted.
Brute-force, dictionary-based attacks are amongst the most crude and basic forms of hacking, and they can usually be easily prevented. It is weird that a tech support staffer was not aware of the most basic of security measures – using strong, hard to guess passwords containing both lower-case and upper-case letters, as well as numbers or special characters. However, it is more alarming that Twitter allowed the use of such weak passwords in the first place.
Secondly, it is hard to understand why the authentication system allowed for an infinite number of failed attempts, this being a major security oversight. “There’s no reason why Twitter couldn’t, say, notice that someone has entered the wrong password three times in a row, and then insist they wait 15 minutes before trying to log in again,” Graham Cluley, senior technology consultant at Sophos, explains. “If you use Twitter, don’t be a twit. Make sure that you are using a sensible hard-to-crack password today,” he concludes.