January 9, 2009
Social Networking Abuse – Twitter Hack on Youtube
The embed video below shows teenage hacker CMZ walking through his attack on Twitter using a brute force password attack. CMZ exploited the fact that Twitter did not put time-outs on login attempts by running a series of dictionary attacks against the admins account to correctly determine the password as ‘Happiness’. The admin’s details were posted on digitalgangster, which were then used to send spam through Barack Obama and Britney Spears accounts.
This kind of brute force attack using a guessed user name and password generator by a teenager should send chills down any company that thinks that a user name and password is sufficient to keep their crown jewels safe.
Device Intelligence and Device Identification can’t fix bad admin security practice but many social networks are now turning to the device as a form of transparent two-factor authentication to determine whether an account is being accessed from an unauthorized computer, or to detect when the same computer is accessing multiple unrelated accounts.
Posted by Alisdair Faulkner Categories: Account Compromise. Device Identification. Social Networks. Web Application Security
