Twitter co-founder Biz Stone says the company “takes security very seriously” but the details behind the micro-blogging site’s recent hack shows that Twitter is light years away from having the most basic security controls in place.
Here’s the French hacker describing how he broke into Twitter’s admin interface:
I’ve used social engineering only, no exploit, no xss vulnerability, no backdoor, np sql injection
And here’s another doozy:
one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.
This isn’t the first time a stray Twitter admin’s password turned into a security embarrassment and it makes one wonder if the company has given any thought to securing the privacy (and, sometimes, anonymity) of its growing user base.
It seems to me that Twitter’s internal security could be improved if staff were forced to log in using authentication tokens that provide a randomly generated key upon login, meaning that even if a staffer’s username and password is compromised hackers would not be able to gain access.
Hopefully, the plans for a Twitter security team go further than just securing the code and eliminating XSS vulnerabilities.
Twitter needs a top-down rethink of the way security is being handled and a genuine, transparent effort at hack-proofing the service.
A security contact would also be nice.