Twitter needs a top-down security rethink

ID THREATPOST:9893F54281E918460329F2C8AF58E48E
Type threatpost
Reporter Ryan Naraine
Modified 2013-04-17T16:39:16


Twitter co-founder Biz Stone says the company “takes security very seriously” but the details behind the micro-blogging site’s recent hack shows that Twitter is light years away from having the most basic security controls in place.

[ French hacker gains access to Twitter’s admin panel ]

Here’s the French hacker describing how he broke into Twitter’s admin interface:

I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection

And here’s another doozy:

one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.

As it turns out, the Twitter admin who had his Yahoo mail hijacked via the secret question was Jason Goldman, who tweeted about it several times.

This isn’t the first time a stray Twitter admin’s password turned into a security embarrassment and it makes one wonder if the company has given any thought to securing the privacy (and, sometimes, anonymity) of its growing user base.

Graham Cluley has it right:

It seems to me that Twitter’s internal security could be improved if staff were forced to log in using authentication tokens that provide a randomly generated key upon login, meaning that even if a staffer’s username and password is compromised hackers would not be able to gain access.

Hopefully, the plans for a Twitter security team go further than just securing the code and eliminating XSS vulnerabilities.

Twitter needs a top-down rethink of the way security is being handled and a genuine, transparent effort at hack-proofing the service.

A security contact would also be nice.