Twitter Has Ridiculously Stupid Security Flaw

10.02.12 5 years ago 8 Comments

One of the most basic ways to crack a password is sheer brute force. Just throw every single possible iteration of a password at a site until something sticks. As processors get cheaper and faster, this becomes easier and easier. It sounds clumsy, and it is, but it works eventually.

Of course, it’s also very simple to stop: Websites just block any attempt to log in to an account after a certain number of attempts. Easy, right? Yep, very easy. Most sites do it. But not, apparently, Twitter.

No, Twitter has managed to screw up this very basic security flaw, as Daniel Dennis Jones, a formerly obscure Twitter member named Blanket, found out.

On Saturday Jones got an email that his password had been changed. Needless to say, he hadn’t changed it, and discovered that he’d been hacked, along with other users who had short handles such as Captain, and that their accounts were for sale on noted Internet slag pit ForumKorner. ForumKorner is pretty much where self-proclaimed “hackers” go to sell the accounts they steal, obviously believing anybody who’s password they crack is completely unable to use Google.

Ultimately, what Jones uncovers is pretty pathetic: A bunch of teenagers, stealing Twitter handles to make some money and impress women, as it turns out some teenage girl wanted @blanket. Jones, if you’re wondering, did get his handle back.

Still, this shouldn’t have happened. It turns out Twitter only blocks multiple attempts by IP address, which is fairly easy for even your mom to get around if she’s motivated enough. So, you might want to tweak your password, make it more secure. Otherwise, you may find your handle stolen by somebody who thinks it’s the key to getting him to second base.

Around The Web