Weak Password Brings ‘Happiness’ to Twitter Hacker
An 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News.
The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter’s administrative control panel by pointing an automated password-guesser at a popular user’s account. The user turned out to be a member of Twitter’s support staff, who’d chosen the weak password “happiness.”
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
“I feel it’s another case of administrators not putting forth effort toward one of the most obvious and overused security flaws,” he wrote in an IM interview. “I’m sure they find it difficult to admit it.”
The hacker identified himself only as an 18-year-old student on the East Coast. He agreed to an interview with Threat Level on Tuesday after other hackers implicated him in the attack.
The intrusion began unfolding Sunday night, when GMZ randomly targeted the Twitter account belonging to a woman identified as “Crystal.” He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. “I thought she was just a really popular member,” he said.
Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal’s account.
That’s when he realized that Crystal was a Twitter staffer, and he now had the ability to access any other Twitter account by simply resetting an account holder’s password through the administrative panel. He also realized he hadn’t used a proxy to hide his IP address, potentially making him traceable. He said he hadn’t used a proxy because he didn’t think the intrusion was important enough to draw law-enforcement attention, and “didn’t think it would make headlines.”
He said he decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster, a forum for hackers and former hackers, offering access to any Twitter account by request.
“I … threw the hack away by providing DG free accounts,” he said. He also posted a video he made of his hack to prove he had administrative access to Twitter.
President-Elect Barack Obama was among the most popular requests from Digital Gangster denizens, with around 20 members asking for access to the election campaign account. After resetting the password for the account, he gave the credentials to five people.
He also filled requests for access to Britney Spears’ account, as well as the official feeds for Facebook, CBS News, Fox News and the accounts of CNN correspondent Rick Sanchez and Digg founder Kevin Rose. Other targets included additional news outlets and other celebrities. Fox won the hacker popularity contest, beating out even Obama and Spears.
According to Twitter, 33 high-profile accounts were compromised in all.
GMZ doesn’t know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.
On Monday morning, the Twitter accounts belonging to Obama, Britney Spears, FoxNews and others, began sending out bogus messages.
Someone used the Obama account to send out a message urging supporters to click on a link to take a survey about the president-elect, and be eligible to win $500 in gasoline. A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O’Reilly “is gay,” while a message from Britney Spears’ feed made lewd comments about the singer.
It was initially believed that the Twitter account hijackings were related to two phishing scams that surfaced over the weekend. But GMZ’s hack was unrelated.
Shortly after GMZ posted his original message to Digital Gangster, the site’s administrator deleted it, along with the responses from members asking for access to other accounts. But a subsequent thread on the site supports GMZ’s account of the hack.
GMZ said he didn’t access any of the high-profile accounts himself, and didn’t send out any of the bogus tweets. He thinks he was in Twitter a couple of hours before the company became aware of his access and locked him out.
Twitter co-founder Biz Stone confirmed for Threat Level that the intruder had used a dictionary attack to gain access to the administrative account, but wouldn’t confirm the name of the employee who was hacked, or the password. He also wouldn’t comment on how long the intruder was in the Twitter account resetting passwords before he was discovered.
“Regarding your other questions, I’d feel more comfortable addressing them once we’ve spoken to counsel because this is still ongoing,” he wrote Threat Level in an e-mail.
Stone said that Twitter has already been contacted by the Barack Obama campaign about the hack and has been in touch with everyone whose account was accessed by the intruders. He said Twitter had not had contact with the FBI or any other law enforcement agency.
“We’re waiting to hear back from our lawyer about what our responsibilities are about this and how to approach it,” Stone said in a separate phone interview.
As for addressing the security issues that allowed the breach, he wrote in a follow-up e-mail that the company is doing “a full security review on all access points to Twitter. More immediately, we’re strengthening the security surrounding sign-in. We’re also further restricting access to the support tools for added security.”
GMZ, who said he’s been hacking for about three years and is currently studying game development, said he conducted the dictionary attack using a script he wrote and used last November to break into the YouTube account of teen queen Miley Cyrus.
That hack gained widespread attention when someone posted a video memorial to Cyrus on the account, claiming Cyrus had died in a car accident. GMZ said a friend of his was responsible for the hoax.
GMZ said he’s used the same dictionary attack to breach the SayNow accounts of Disney star Selena Gomez and other celebrities.
After YouTube blocked his IP and patched some vulnerabilities he was exploiting, he decided “for the fun of it (curiosity and self-entertainment) I’ll pen-test Twitter.” He was “shocked to realize that there was no rate limit” to lock someone out after a specific number of failed password attempts.
He said he’d never even heard of Twitter until he saw someone mention it on YouTube.
Read More http://www.wired.com/threatlevel/2009/01/professed-twitt/#ixzz0tYn9LCSj