Anatomy of the Twitter Attack

TechCrunch has a riveting account of how Twitter’s security was compromised. It’s a salutary tale of how an ecosystem of Web 2.0 services contains holes that an astute and tireless attacker can exploit. The Summary reads:

1. HC [Hacker Croll, the culprit] accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.

2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.

3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.

4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.

5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text.

6. Even at this point, Twitter had absolutely no idea they had been compromised.

What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.

It’s made me think hard about the approach I take to granting access to Web 2.0 services.