Twitter account hijacking exposes easy-to-exploit security flaw
The hijacking of the Twitter account that belongs to user Daniel Dennis Jones and his subsequent investigation into the matter has revealed a Twitter security weakness that makes it easy for hackers to do the same to all users that employ short and uninventive passwords, reports BuzzFeed.
Over the weekend Jones – an early Twitter adopter who managed to snag himself the @blanket Twitter account – was unpleasantly surprised when he received an email from Twitter telling him his password had been changed.
He verified the claim by trying to log into his account via his computer and discovered it was true. But, as he was still logged in on his phone, he was able to check what was happening to his account.
Luckily for him, no other change has been made except for a new Twitter account name, which has been changed by the hacker to something vulgar.
Receiving no immediate help from Twitter, Jones searched the web for accounts of similar incidents happening to other users, and discovered that users with short, desirable usernames are often targeted by hackers.
He also found that someone that claims to be the hacker was trying to sell the @blanket account and another one for at least $100 each on a gaming forum:
A search of the forum revealed that hackers do have a thing for hijacking Twitter accounts with single-word usernames, which they then attempt to sell for small sums or gift them to friends.
An impromptu talk with another hacker via Twitter revealed that using social engineering to trick users to share their Twitter login information is sometimes used, but that hackers often prefer brute-forcing the accounts.
Users often use short and common passwords, and the hackers use programs that repeatedly try to guess them. This would not usually present a problem as many other online services block automated and incessant login attempts to a single account but, according to the hackers, Twitter doesn’t do it as long as the attempts come from different IP addresses.
Jones admits that he was partially to blame for the hijacking, as he didn’t use a strong password. Still, if the hacker’s claim is true, it seems that Twitter should make some badly needed changes in its login process.
Jones has since had his username restored by Twitter, but no comment is yet to be had from the micro-blogging service.