Twitter Authentication Flaw Helps Crooks Take Over Popular Handles
If you’re one of the Twitter users with an overly appealing username, please change your password to something solid before finishing this story. According to a veteran Twitter user known as @blanket, an authentication flaw in the Twitter login system makes it extremely easy for cyber-criminals to brute-force your Twitter password without any limitation.
Twitter user Daniel Dennis Jones, also known as @blanket, felt the flaw when he received a notification from Twitter that his password had been successfully changed. When he attempted to log in to the micro-blogging platform with his credentials, he found his password had been abusively changed by an unknown user. To add insult to injury, his username had also been replaced to an obscene handle.
“Twitternames that would have high value due to brevity: @hah, @captain, @craves, @abound, @grinding, [were] all cracked/stolen,” Jones wrote on his Twitter wall. The series of attacks against these handles appears to have a financial motivation, as these usernames were later pitched at selling for prices between $60 and 100. “By chasing tweets I find @blanket & others are being pimped at a site called forumkorner,” Jones continued.
It appears this attack was built on a basic security feature that Twitter implemented the wrong way: restricted login upon a number of failed attempts. In order to prevent brute-force attacks, log-in pages limit the number of times an attacker can try a password. When the number of attempts is exceeded, the web application either freezes the account for a number of minutes / hours, or adds a challenge (such as CAPTCHA) to stop robots cold.
However, Twitter’s implementation only checks the number of attempts that come from a specific IP. If the attacker is renewing their IP address, they can resume the brute-forcing process against the same account in no time.
Since there is no way of telling when or if Twitter will fix the glitch, the best thing Twitter users can do is pick a strong password that is not a dictionary word or based on one.