Twitter Hacker Abused Yahoo to Get Administrative Access

 
 
By Brian Prince  |  Posted 2009-04-30
 
 
 

A French hacker reportedly used social engineering to get Twitter administrative access and posted screenshots of data belonging to several high-profile celebrities.

The hacker, operating under the handle of Hacker Croll, posted 13 screenshots of Twitter's admin panel. The screenshots include internal data for accounts belonging to a number of high-profile figures, including Ashton Kutcher, Britney Spears and President Barack Obama.

Officials at Twitter have not yet responded to requests for comment. Still, indications are that the screenshots are legitimate and that the attacker may have hacked into an administrator's account by first breaking into that person's Yahoo account and stealing his or her Twitter password.

In a post in an online forum, the confessed hacker said he used social engineering only-"no exploit, no XSS vulnerability, no backdoor, no sql injection." The hacker wrote:

One of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.

The reported hack follows a wave of worm attacks against Twitter earlier in April. In that case, the worm was more of an annoyance for users and is not thought to have caused any actual harm beyond sending spam.

Enterprises are increasingly worried about the impact social networking sites like Twitter, Facebook and LinkedIn can have on their security. According to an online poll conducted by Sophos, 63 percent of the 709 respondents worry employees put corporate data at risk by sharing too much personal information via their social networking profiles. The poll also found a quarter of the respondents' businesses have been the victim of spam, phishing or malware attacks via sites such as Twitter, Facebook, MySpace and LinkedIn.

Facebook was just hit with a phishing scam earlier the week of April 27 that attempted to trick users into giving up their Facebook credentials. The scam begins when users receive a message with the subject "Look at this!" that contains a malicious link. If users click the link, they are redirected to a spoofed log-in page.

Sophos advises organizations to make sure all employees are aware of the impact that their actions could have on the corporate network and consider filtering access to certain social networking sites at specific times. In addition, businesses should review their settings regularly to ensure that users are only sharing work-related information with trusted parties.

"By adopting a more holistic approach-including investment in greater security and control solutions, as well as offering comprehensive user education-organizations will be better equipped to deal with social networking risks," Graham Cluley, senior technology consultant at Sophos, wrote on a blog.

Rocket Fuel