Security hole exposes Twitter accounts to hacking, victim claims

A user whose account was stolen says Twitter’s password reset system is easier to circumvent than that of other services.Twitter users — especially those with desirable handles — risk having their accounts stolen, according to one recently hacked user who says there’s a fundamental vulnerability in the service’s security system.

According to Daniel Dennis Jones, whose account, @blanket, was recently hijacked, Twitter’s password reset process allows hackers to attempt a more wide-ranging brute force approach to breaking into accounts than other services with more restrictive systems.

In a lengthy write-up of his recent experience, Jones says he discovered that the security system Twitter employs limits log-in attempts by IP address, rather than by account, meaning that a hacker able to use multiple IP addresses can make many more tries at getting into an account than they would be able to do if Twitter locked down all access after a set number of attempts, or if it employed two-factor authentication like Google does.

ones’ account hacker “used a program that repeatedly attempts to log in with common passwords,” wrote BuzzFeed in a story about his ordeal. “Most sites, including Twitter, flag or disable user accounts, or throw up a CAPTCHA, after a certain number of failed log-in attempts. But whereas many services, including Gmail, limit log-in attempts on a per-account basis, Twitter apparently only prevents large numbers of log-in attempts from the same IP address.”

As Jones related, he eventually discovered that @blanket, along with many other attractive Twitter handles, were being sold — often at a nominal cost — on a site called ForumKorner. However, after several attempts to get help from Twitter, he was able to get the account back in, it seems, in one piece.
For more updates please visit my Facebook page and also follow me on Twitter and Google+


Leave a Reply