On mySimon: Hoover Porta Power Vaccum
BNET Business Network:
BNET
TechRepublic
ZDNet

April 30th, 2009

French hacker gains access to Twitter's admin panel

Posted by Dancho Danchev @ 6:58 am

Categories: Browsers, Data theft, Hackers, Passwords, Pen testing, Responsible disclosure, Social Networking Applications, Web 2.0

Tags: Hacker, Twitter, Hacking, Security, Dancho Danchev

UPDATE2: Twitter confirms the unauthorized access.

UPDATE: The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter’s employees — similar attack took place in January this year. Here’s a retrospective of the events that took place.

Yesterday, a French hacker claimed to have gained access to Twitter’s administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter, his claims seem pretty legitimate.

The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter’s admin panel, and commented that “The images were taken from the Admin area that was secured with .htaccess.” It’s still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there’s a high chance that he was able to download anything he wanted to.

The attack comes two weeks after multiple variants of Mickeyy’s XSS worm hit the continuously growing micro-blogging service.

UPDATE: The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th - “Wow - my Yahoo mail account was just hacked.“; “If anyone with Yahoo! Security is out there, hit me up with an reply“.

Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum - “one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.” and that he “used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection“.

Similar password reset attack contributed to the successful hacking of Sarah Palin’s personal email account in September last year.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 7 Talkback(s)
This is why we need secure web fingerprint ID
This kind of story drives me nuts!

When are we going to realize that any authentication scheme (or for that matter, the way we obtain credit) based on "what you know" vs. "what you have," (bett... (Read the rest)
Posted by: SecurityThroughObscurity Posted on: 05/04/09  (Edited: 05/04/09 @ 10:18) You are currently: a Guest | | Terms of Use
High value targets  Been_Done_Before | 04/30/09
RE: French hacker gains access to Twitter's admin panel  jasonemmg | 05/01/09
RE: French hacker gains access to Twitter's admin panel  Tracer76 | 05/01/09
RE: French hacker gains access to Twitter's admin panel  wtfnix | 05/04/09
Ummm  weemooseus@... | 05/04/09
RE: French hacker gains access to Twitter's admin panel  weemooseus@... | 05/04/09
This is why we need secure web fingerprint ID  SecurityThroughObscurity | 05/04/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here