

Twitter's explanation regarding the hijacked accounts - vaksel
http://www.techcrunch.com/2009/01/05/twitter-gets-hacked-badly/

======
tptacek
"Not ready for prime time" because someone found a flaw in an admin tool? This
is naive. For most of what TechCrunch _does_ consider "ready for prime time",
there's no assurance that similar flaws don't exist. What has Yammer,
Arrington's "can't live without it" enterprise Twitter clone, done to address
this problem?

~~~
pmjordan
From the comments:

 _"Josh Walsh":_ TechCrunch hasn’t ever been comprised in some way?

 _Arrington:_ not like this. plus, we’re a BLOG.

well, if that's not an admission by Arrington that Twitter _is_ a big deal...

~~~
tptacek
TechCrunch runs WordPress. I feel like it's pretty safe to say that they've
been compromised in ways Arrington isn't ready to think about yet.

------
anotherjesse
From Twitter:

"We plan to release a closed beta of the open authentication protocol, OAuth
this month but it's important to note that this would not have prevented a
Phishing scam nor would it have prevented these accounts from being
compromised."

I have several friends who work at twitter, but I'm sorry, I have to disagree.

The fact that they use http auth for api access means that hundreds (or
thousands) of people have had admin credentials with which they can go in and
wreck havoc, doing exactly what we have seen today.

I like to integrate admin control into the normal site, so my lesson from this
is: make it so the admin only portions of the page only when you are viewing
through a VPN...

It isn't quite 2 factor (2 passwords - vpn then site - is equivalent to 1
password) but it makes it so intruders have to jump through two hoops - of
which the VPN is normally harder to do)

~~~
tptacek
I agree that management applications should always be out-of-band, but what do
third-party applications have to do with the internal applications Twitter's
support team uses to handle email address resets?

~~~
anotherjesse
the "internal application" is <http://twitter.com/admin> and inline admin
controls on the normal pages.

they might have more but in the past when twitter employees has showed
screenshots at talks that is what they use.

~~~
tptacek
Yeah, what I'm not following is what this has to do with OAuth and third-party
applications.

~~~
anotherjesse
Any admin user who uses a 3rd party app has to give their full credentials
(username/password) to the service.

And they have to store them in plain text.

So if either: they are malicious, or they are attacked, the credentials are
lost.

I'm also assuming (not blindly) that the twitter admins use/tryout many of the
tools.

~~~
tptacek
So that's a good point. Even if their admin tools needed to be inband, it's
messed up if people are using the same creds to administer Twitter as they are
in using the service or messing with third-party apps. We don't have any
evidence that this is the case, but it's a good lesson to keep in mind.
Thanks.

