Latest Twitter hack highlights TwitPic weakness

The account of pop star Britney Spears was compromised by an attack via third party website, TwitPic. In a tasteless stunt that was seen by her two million followers, someone posted the following message to Spears’s Twitter stream earlier today:

The picture on Britney Spears’s TwitPic account and the fake post to Twitter have since been deleted.

The fake story of Britney’s death was posted to her Twitter followers via the TwitPic service, which automatically forwards messages to the associated Twitter account. There are a number of ways in which messages can be posted on TwitPic, including sending a picture to a unique email address. It is thought that hackers used this method to post the fake message, which would have involved cracking a four digit PIN code.

Following the attack on Spears’s account, TwitPic announced that it has fixed a vulnerability with its email posting functionality.

Source: Sophos