Serious Twitter security flaw leads to account hijacking for love and money

The problem, BuzzFeed has discovered, is that Twitter has no limit on the number of times someone can attempt to log into an account. It only prevents large numbers of login attempts from the same IP address – a protection that is a mere nuisance for the average hacker. The password stealers, then, can make as many attempts as they want as long as the attempts appear to be coming from different computers.

And hackers are indeed busily working away. On Saturday, Jones received a message from Twitter customer service that his password had been changed. He tried to log in but found that his account had been changed – his credentials now logged him into an account with a name unprintable here.

After searching around the internet, he found a site called ForumKorner that was selling his Twitter handles along with a host of other high-value accounts. These are Twitternames that would have high value due to brevity: @hah, @captain, @craves, @abound, @grinding and so on, Jones noted. Some were going for $60 to $100, especially handles that have been around since the early days of the microblogging service.

“Someone cracked my Twitter account and stole my username earlier today,” Jones wrote in a blog post that aggregates his tweets on Storify. “What they did with it led me down a rabbit hole of security vulnerabilities, username black markets, and teen crushes.” Essentially, the crackers are teenage boys attempting to use their exploits to gain attention from girls, he found and vice versa – with one of the perpetrators tweeting that she had been grounded for participating.

“So many accounts, all taken for love and money,” Jones wrote.

The lesson of course? Change your password on a regular basis – a simple security precaution that too few consumers bother to do.

Twitter, meanwhile, now has another black eye. It has been beefing up security, but this latest issue shows it has much more work to do.

What’s Hot on Infosecurity Magazine?