An attacker, who may have gotten the information from the database of a third party, claims to have access to the OAuth login tokens and secrets for every Twitter user. He has posted more than 15,000 of the entries online and claims that he can now access the account of any user he wishes. Twitter officials, however, say no accounts have been compromised.
The OAuth tokens and secrets are used as a method of authentication for third-party apps that access Twitter. The tokens and secrets could allow an attacker to access a user’s account without the need for her password. The OAuth tokens and secrets have been posted on a data-sharing site called Zippyshare.
Twitter officials say that they have looked into the reported attack.
“We have investigated the situation and can confirm that no Twitter accounts were compromised,” a Twitter spokesman said.
The attack is supposedly the work of an attacker known as Mauritania Attacker, who has been linked with pro-Islamic operations in the past. Security researchers say that the data that has been posted online appears to have come from a third-party app. It’s not clear which app is involved, but a source with knowledge of the situation says the app has been suspended by Twitter.
Image from Flickr images of West McGowan.