Chicago (IL) – Yet again, the Twitter website is seeing security intrusions. This time, an administrator account at the microblogging website has been breached giving individuals a preview to the accounts of high profile users. Twitter CEO Biz Stone confirmed that “unauthorized access” was gained earlier this week. Apparently, only 10 individual accounts were viewed.
Manuel Dorne of the French blog Korben broke the news and posted screenshots , which showed images that were supposedly taken by an anonymous hacker going by the name of Hacker Croll who was able to gain access to the account of Jason Goldman, a director of product management with Twitter. Even though the screenshots make an attempt to hide sensitive information like the IP address and e-mail of those concerned, including the Twitter administrator, it was simple to search and discover that the account was that of Jason Goldman.
The thirteen screenshots shed light on what the celebrities on Twitter are doing with their accounts. The hacker was also able to add or remove featured users that are suggested to new members when they sign up for a Twitter account.
The screenshots reveal that both Lily Allen and Ashton Kutcher had blocked celebrity gossip blogger Perez Hilton from being able to send them messages. President Barack Obama blocked 96 Twitter users. The leaked pages additionally included blacklisted user lists and configuration settings for the site.
Biz Stone released a statement following the security breach. “Password information was not revealed or altered, nor were personal messages (direct messages) viewed. Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.”
Twitter said it has contacted those users whose accounts were compromised.
Dorne feels that Twitter’s security is still “very weak”. For instance, when attempting to log in to a Twitter administrative account using admin.twitter.com a login prompt is displayed. Twitter usernames are available publically meaning that someone wanting to gain unauthorized access would merely need to figure out the password.
The hacker claimed to have accessed the account by first hacking Goldman’s Yahoo account: “One of the admins has a Yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her [sic] twitter password,” wrote Hacker Croll in a posting via an online discussion forum on Wednesday. “I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection.” This action was confirmed by Goldman via a Tweet on the social networking site.
In January, we reported that celebrity and high profile Twitter accounts were under attack. Back then, a hacker going by the name of GMZ utilized off-the-shelf software to guess that an admin’s password was “happiness.” GMZ then used his access to the site to hijack 33 high profile accounts including those of Barack Obama, Fox News and Britney Spears.
In addition to hacking, Twitter has been the subject of a multitude of worm attacks which took advantages of vulnerabilities in the sites Web programming.
It was during the January hack that Biz Stone promised a “full security review of all access points to Twitter.”
At 4:02 PM EDT today, shortly after I wrote and published this article it once again became evident that Goldman’s account was breached, as odd out of character Tweets began to appear on my dashboard. Prior to Twitter suspending the account “due to suspicious activity” I was able to capture screenshots of the following Tweets:
Goldman’s account has since been restored by Twitter, and Goldman claims that no other data was accessed: