
Twitter Security Collapses; Obama, Fox and Britney Accounts Hacked - qhoxie
http://www.readwriteweb.com/archives/twitter_security_collapses_oba.php
======
mattmcknight
Apparently it was the Twitter admin help desk application that was hacked.
It's been taken offline. The phishing was separate.

"It will be good for the people calling for more secure, standards based
authentication on Twitter and elsewhere around the web." [from article]

"it is important to note that OAuth would not have prevented either of these
attacks" [from Twitter]

I see the point for OAuth third party applications, but that's not the attack
vector here. That's just free association. What more secure authentication do
people want? Client certificates? Dongles?

~~~
gojomo
Do you have a link on the help-desk-app angle?

One of my guesses would have been updates via SMS. I've read it's easy to
forge caller ID; if it's as easy to forge an SMS origin-number, and you knew
these accounts were set up to allow updates via SMS from a certain number...
voila!

~~~
cscott
Here's the info on the compromised support tools:

<http://blog.twitter.com/2009/01/monday-morning-madness.html>

------
biohacker42
Oh the tiny, tiny drama!

~~~
seldo
Jokes aside, this is a huge deal for Twitter. Unless they can prove that these
guys did something like get phished, their professed monetization strategy of
corporate twitter accounts could run into real trouble.

~~~
mtw
it strikes me that twitter has acute technology problems. Remember the
scalability problems last year? now this security issue. Friendfeed in
contrast, has none of these issues.

~~~
johns
FriendFeed has none of the issues and does not have the critical mass to draw
the sort of high-profile attention the defacers were seeking. Given enough
scale, FriendFeed will have its share of issues.

~~~
biohacker42
I can believe the "True geometric growth is hard to deal with period."
argument when it comes to downtime.

But what does scale have to do with security?

~~~
wmf
More users -> more attackers -> more holes found.

~~~
Herring
Attackers can only find holes that are there to begin with.

~~~
wmf
There are always holes.

~~~
Herring
Some architectures are more resistant than others. I suppose you could break
into some air gapped military computers -- if you had a nuke.

why are we even discussing this?

~~~
sanswork
Or someone on your payroll on the inside.

~~~
Herring
Well that's universal. You can't exactly protect against someone who's also
supposed to hold the keys to the system. Its more a feature than a bug.

------
martythemaniak
For posterity's sake, it should be noted that the Gelgamek vagina is typically
3 feet wide, not 4 feet.

[http://en.wikipedia.org/wiki/List_of_fictional_South_Park_sp...](http://en.wikipedia.org/wiki/List_of_fictional_South_Park_species#Gelgameks)

------
wesley
This might finally push twitter to use something like oAuth. I predict they
will launch it by next week and it will be required by every third party app.

~~~
mtw
explain to me how oAuth would have prevented this? there's no indication that
the attack was using a third-party app

~~~
evgen
It would not have prevented this, but by jumping on another tangentially-
related bandwagon the Twitter folks probably figure that they can distract
everyone from the real problem and get ahead of the curve on credentials and
authentication for the third-party ecosystem that is starting to develop
around twitter.

~~~
maneesh
you make it sound like an episode of 'The West Wing,' I think that they will
spend more time trying to solve their actual security issues than trying to
distract from the problem

