Sunday, July 19, 2009

Lessons learned in Twitter document leak fiasco

Last week the social media was dominated by the twitter document security issue.TechCrunch received some confidential twitter documents and screenshots. Immediately after the news broke out ,the blogosphere started speculating about the cause of the attack.As the time passed by Techcrunch was able to convince the attacker for a dialog and extracted some information from the attacker.

Summary of how the attack really happened(From TechCrunch):

1.HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.

2.HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.

3.HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.

4.HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.

5.HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hold in iTunes gave HC access to full credit card information in clear text.

6.Even at this point, Twitter had absolutely no idea they had been compromised.


While you can read the fullpost here from TechCrunch ,what did we really learn from the whole episode?

It is time to repeat those statements.

1.Never use the same password for different accounts.
2.Do not use password recovery question.
3.If you have a GMail account ,use the password recovery option through text messaging.
4.Do not set a password which can easily be guessed.This is particularly important since a lot of personal information about us is so easily available on the web.
5.If you can not do the above for all your accounts,at least keep very different passwords and keep changing them for your primary active accounts.
6.Immediately delete the clear text passwords you receive in your inbox ,while opening account with some service providers.

One thing comes to my mind at this stage :What if the web mail providers force the users to change their password at regular intervals?(We do the same thing with our corporate accounts too).

There is an interesting statement from Techcrunch about the cloud services after this attack:
Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not.

Thanks to TechCrunch for handling the story in an efficient way.

About This Blog

This Blog is all about Technology , Web 2.0 ,WebApps.You can also contact the author for advertising on this blog.All the material presented here is the property of author and its reproduction in any form is strictly prohibited.

Contact Us

If you have any suggestions ,queries or comments and want to reach out to me ,then you can reach me here.