Official Twitter feeds belonging to Barack Obama's campaign, Fox News and Britney Spears were hijacked to send out fake messages on Monday, two days after a password-stealing phishing attack targeted the microblogging service.
"A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf," the company acknowledged on its website Monday. "We have identified the cause and blocked it. We are working to restore compromised accounts."
A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O'Reilly "is gay," while a message from Britney Spears' feed made lewd comments about the singer. A tweet sent out from the Barack Obama account asked users to click on a link to take a survey about Obama and be eligible to win $500 in gasoline.
Though the fake tweets were decidedly unsubtle, the apparent compromise of the hugely popular micro blogging service could have more serious implications. Users increasingly rely on feeds from news sites and other trusted sources, and a more subtle fake Twitter message sent out from a compromised account could potentially wreak some havoc.
The flock of fake tweets followed a weekend phishing attack designed to steal Twitter passwords. It's not yet clear whether the two events are connected, though the company's warning on Monday hinted at a more widespread attack than just a handful of high-profile accounts. "As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own," the company wrote.
The phishing scam went after Twitterers set up to receive e-mail notification whenever they're sent a private direct message -- messages that generally come from trusted friends and followers. In this case, the e-mail notification urged them to visit a website.
Hey, i found a website with your pic on it. . . LOL check it out here
The message included a link to what appeared to be the Twitter log-in page, but was actually a scam site designed to grab a visitor's Twitter username and password when he or she logs in. The malicious website, twitter.access-logins.com, is registered in China.
Many people unwisely use the same username and password for numerous internet services, including their online banking accounts, so someone who falls for the phishing scam and enters his credentials in the fake Twitter log-in page could find that a scammer has hijacked his other accounts as well.
UPDATE: Twitter posted an update to its blog announcing that its service was hacked in an attack that was unrelated to the phishing scam. According to the company, 33 Twitter accounts were hacked -- including Barack Obama's account. An attacker hacked into some tools that Twitter's support team uses to help account holders and gained access to the Twitter accounts of Obama and others. Twitter has taken the tools offline until it's able to secure them.
Twitter has not responded to a request for comment.
UPDATE II: Twitter co-founder Biz Stone got back to me late this afternoon and explained that the hacker got into the tool Monday morning by using a dictionary attack to guess the password of one of his support team employees. He didn't know what the employee's password had been but said they took the tool offline until they could shore up their internal security.
With regard to the separate phishing attacks that occurred over the weekend (there were two of them), he said his engineers were able to identify every Twitter user who followed links to the fake site and gave out their credentials. The company has reset the passwords for those users. Stone didn't have any details to explain how the engineers identified those users.
An 18-year-old hacker with a history of celebrity pranks has admitted to Monday's hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama's, and the official feed for Fox News.
The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. The user turned out to be a member of Twitter's support staff, who'd chosen the weak password "happiness."
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
"I feel it's another case of administrators not putting forth effort toward one of the most obvious and overused security flaws," he wrote in an IM interview. "I'm sure they find it difficult to admit it."
The hacker identified himself only as an 18-year-old student on the East Coast. He agreed to an interview with Threat Level on Tuesday after other hackers implicated him in the attack.
The intrusion began unfolding Sunday night, when GMZ randomly targeted the Twitter account belonging to a woman identified as "Crystal." He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. "I thought she was just a really popular member," he said.
Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal's account.
That's when he realized that Crystal was a Twitter staffer, and he now had the ability to access any other Twitter account by simply resetting an account holder's password through the administrative panel. He also realized he hadn't used a proxy to hide his IP address, potentially making him traceable. He said he hadn't used a proxy because he didn't think the intrusion was important enough to draw law-enforcement attention, and "didn't think it would make headlines."
He said he decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster, a forum for hackers and former hackers, offering access to any Twitter account by request.
"I ... threw the hack away by providing DG free accounts," he said.
He also posted a video he made of his hack to prove he had administrative access to Twitter.
President-Elect Barack Obama was among the most popular requests from Digital Gangster denizens, with around 20 members asking for access to the election campaign account. After resetting the password for the account, he gave the credentials to five people.
He also filled requests for access to Britney Spears' account, as well as the official feeds for Facebook, CBS News, Fox News and the accounts of CNN correspondent Rick Sanchez and Digg founder Kevin Rose. Other targets included additional news outlets and other celebrities. Fox won the hacker popularity contest, beating out even Obama and Spears. According to Twitter, 33 high-profile accounts were compromised in all.
GMZ doesn't know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.
On Monday morning, the Twitter accounts belonging to Obama, Britney Spears, FoxNews and others, began sending out bogus messages.
Someone used the Obama account to send out a message urging supporters to click on a link to take a survey about the president-elect, and be eligible to win $500 in gasoline. A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O'Reilly "is gay," while a message from Britney Spears' feed made lewd comments about the singer.
It was initially believed that the Twitter account hijackings were related to two phishing scams that surfaced over the weekend. But GMZ's hack was unrelated.
Shortly after GMZ posted his original message to Digital Gangster, the site's administrator deleted it, along with the responses from members asking for access to other accounts. But a subsequent thread on the site supports GMZ's account of the hack.
GMZ said he didn't access any of the high-profile accounts himself, and didn't send out any of the bogus tweets. He thinks he was in Twitter a couple of hours before the company became aware of his access and locked him out.
Twitter co-founder Biz Stone confirmed for Threat Level that the intruder had used a dictionary attack to gain access to the administrative account, but wouldn't confirm the name of the employee who was hacked, or the password. He also wouldn't comment on how long the intruder was in the Twitter account resetting passwords before he was discovered.
"Regarding your other questions, I'd feel more comfortable addressing them once we've spoken to counsel because this is still ongoing," he wrote Threat Level in an e-mail.
Stone said that Twitter has already been contacted by the Barack Obama campaign about the hack and has been in touch with everyone whose account was accessed by the intruders. He said Twitter had not had contact with the FBI or any other law enforcement agency.
"We're waiting to hear back from our lawyer about what our responsibilities are about this and how to approach it," Stone said in a separate phone interview.
As for addressing the security issues that allowed the breach, he wrote in a follow-up e-mail that the company is doing "a full security review on all access points to Twitter. More immediately, we're strengthening the security surrounding sign-in. We're also further restricting access to the support tools for added security."
GMZ, who said he's been hacking for about three years and is currently studying game development, said he conducted the dictionary attack using a script he wrote and used last November to break into the YouTube account of teen queen Miley Cyrus.
That hack gained widespread attention when someone posted a video memorial to Cyrus on the account, claiming Cyrus had died in a car accident. GMZ said a friend of his was responsible for the hoax.
GMZ said he's used the same dictionary attack to breach the SayNow accounts of Disney star Selena Gomez and other celebrities.
After YouTube blocked his IP and patched some vulnerabilities he was exploiting, he decided "for the fun of it (curiosity and self-entertainment) I'll pen-test Twitter." He was "shocked to realize that there was no rate limit" to lock someone out after a specific number of failed password attempts.
He said he'd never even heard of Twitter until he saw someone mention it on YouTube.
Image: A detail from a video of the Twitter hack Monday morning. Courtesy GMZ
