Twitter users — especially those with desirable handles — risk having their accounts stolen, according to one recently hacked user who says there’s a fundamental vulnerability in the service’s security system.
According to Daniel Dennis Jones, whose account, @blanket, was recently hijacked, Twitter’s password reset process allows hackers to attempt a more wide-ranging brute force approach to breaking into accounts than other services with more restrictive systems.
In a lengthy write-up of his recent experience, Jones says he discovered that the security system Twitter employs limits log-in attempts by IP address, rather than by account, meaning that a hacker able to use multiple IP addresses can make many more tries at getting into an account than they would be able to do if Twitter locked down all access after a set number of attempts, or if it employed two-factor authentication like Google does.
Jones’ account hacker “used a program that repeatedly attempts to log in with common passwords,” wrote BuzzFeed in a story about his ordeal. “Most sites, including Twitter, flag or disable user accounts, or throw up a CAPTCHA, after a certain number of failed log-in attempts. But whereas many services, including Gmail, limit log-in attempts on a per-account basis, Twitter apparently only prevents large numbers of log-in attempts from the same IP address.”
Of course, Twitter’s security regimen is probably not all that different from that of many other sites. According to Jeremiah Grossman, CTO and co-founder of Whitehat Security, the attack that victimized Jones was “very, very common….Perhaps Twitter could have a bit stronger and more comprehensive approach to dealing with brute force attacks, but they can really only take it so far before annoying their users.”
Added Grossman, “Really the best way for users to defend themselves, and their coveted Twitter accounts, is to choose truly hard to guess passwords. Something a bad guy couldn’t guess if they had a million-plus chances to do so.”
Twitter did not immediately respond to a CNET request for comment.
As Jones related, he eventually discovered that @blanket, along with many other attractive Twitter handles, were being sold — often at a nominal cost — on a site called ForumKorner. However, after several attempts to get help from Twitter, he was able to get the account back in, it seems, in one piece.