Multi-Device Licenses (Volume Discounts)

Change Region

English Dansk Deutsch Español Français Italiano Nederlands Polski Português Svenska Türkçe Русский हिन्दी 日本語 汉语 漢語 한국어
Computer Security Twitter Hacked Again, this Time with Help from Hotmail

Twitter Hacked Again, this Time with Help from Hotmail

By Sumo3000 in Computer Security
Translate To:
English

When a hacker, calling himself Hacker Croll, broke into the administrative assistant’s e-mail account, he used this to collect information that allowed him access to the employee's Google Apps account. Those working at Twitter utilize the corporate version of Google Apps to share documents and other information within the company.

Apparently the hacker used a feature of Microsoft's Hotmail to hijack the employee's work e-mail account. The web site that broke the story last week, TechCrunch, reported that the hacker took advantage of poor password practices, Hotmail’s inactive account feature and personal information on the Internet in order to steal hundreds of Twitter documents. TechCrunch managed to persuade Hacker Croll into revealing the details of this attack.

How did this process begin?

It began with the personal Gmail account of the administrative assistant working at Twitter. As with many other web applications, the personal edition Gmail has a password recovery function that presents a user with a number of challenges in order to prove their identity so that their password can be reset. On requesting to recover the password, Hacker Croll got a lucky break when Gmail informed him that an email had been sent to the user's secondary email account. Through some rather simple guess work, Hacker Croll deduced that this secondary email account was hosted at Hotmail.com.

At Hotmail, Hacker Croll once more attempted the password recovery procedure, performing an educated estimation of what the username might be based on the amount of research he had done on this employee, and others working at Twitter, by digging through the Internet for likely responses. It is at this point that Hacker Croll discovered that the account specified as a secondary for Gmail and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled.

After registering the account and re-requesting the password recovery function from Gmail, Hacker Croll found himself with access to the personal Gmail account of a Twitter employee. Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. This is what Hacker Croll did. In order to not alert the account owner that their account had been compromised, however, he would have to somehow discover what the original Gmail password was and to set it back.

This is where a bad habit with regards to password practice comes into play. Most of us are guilty of it; using the same password everywhere we go. Finding an e-mail sent to the account owner associated with some random web service the user had subscribed to, it detailed the password in clear text. This particular password was found more than once in similar e-mails. Hacker Croll could now make a safe assumption that this same password was also used for the Gmail account.

From here, Hacker Croll managed to access the user's work e-mail account, hosted on Google Apps for Domains. It seems that this employee (and in fact, several others working at Twitter) used the same password for his work e-mail as he did with his personal Gmail account. From that moment on, Hacker Croll's intrusion spread like wildfire. Using the single personal Gmail account he had managed to obtain access to as a starting point, he eventually managed to infect a number of accounts on a number of different services both inside and outside of Twitter.

Once Hacker Croll had access to the employee's Twitter email account hosted by Google, he was able to download attachments to email that included sensitive information, including more passwords and usernames. He quickly took over the accounts of at least three senior executives, including Twitter's CEO, Evan Williams, and one of its co-founders, Biz Stone. Searching their e-mail attachments led to an abundance of more sensitive data being downloaded.

Hacker Croll soon spread outward from here, accessing AT&T for phone logs, Amazon for purchasing history, MobileMe for more personal e-mails and iTunes for full credit card information. In the end, when Hacker Croll had finished his widespread infiltration, he had managed to obtain enough personal and work information on important Twitter executives to make their lives miserable. Even at this point, Twitter had absolutely no idea they had been compromised.

What were Hacker Croll's intentions after accomplishing this process?

According to TechCrunch, all Hacker Croll intended to do was highlight the weaknesses in Twitter’s data security policies and to get them and other start-up companies to consider stronger security measures. This may very well be the truth, as what could have inevitably occurred was Hacker Croll selling the information he had gained in order to make a profit, which he has not done. Instead, the documents he acquired through his incursion on Twitter were sent to multiple web sites, including TechCrunch, in order to prove his worth.

Twitter has threatened legal action against the sites, including TechCrunch, that have published the stolen documents, but legal experts warned last week that it was hard to predict whether it would succeed.

Loading...