Welcome to the SecAware blog

I spy with my beady eye ...

7 Aug 2009

Twitter admin email password reset incident

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short:
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity

No comments:

Post a Comment