Weak Password Brings ‘Happiness’ to Twitter Hacker
January 6, 2009 – 7:31 PMAn 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News.
The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter’s administrative control panel by pointing an automated password-guesser at a popular user’s account. The user turned out to be a member of Twitter’s support staff, who’d chosen the weak password “happiness.”
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
“I feel it’s another case of administrators not putting forth effort toward one of the most obvious and overused security flaws,” he wrote in an IM interview. “I’m sure they find it difficult to admit it.”
The hacker identified himself only as an 18-year-old student on the East Coast. He agreed to an interview with Threat Level on Tuesday after other hackers implicated him in the attack.
The intrusion began unfolding Sunday night, when GMZ randomly targeted the Twitter account belonging to a woman identified as “Crystal.” He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. “I thought she was just a really popular member,” he said.
Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal’s account.
That’s when he realized that Crystal was a Twitter staffer, and he now had the ability to access any other Twitter account by simply resetting an account holder’s password through the administrative panel. He also realized he hadn’t used a proxy to hide his IP address, potentially making him traceable. He didn’t think the intrusion was important enough to draw law-enforcement attention, and “didn’t think it would make headlines.”
Source:
http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html
You must be logged in to post a comment.