funsec mailing list archives

Re: Twitter Hacker Says Admin Password Was 'Happiness'

From: "Alex Eckelberry" <AlexE () sunbelt-software com>
Date: Wed, 7 Jan 2009 14:47:27 -0500

Oh.  So what Britney twittered about herself wasn't true?  

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Paul Ferguson
Sent: Wednesday, January 07, 2009 12:25 AM
To: funsec
Subject: [funsec] Twitter Hacker Says Admin Password Was 'Happiness'

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Absolute idiocy -- violating the first principle of security: easily
cracked passwords.

Via Threat Level.

[snip]

An 18-year-old hacker with a history of celebrity pranks has admitted to
Monday's hijacking of multiple high-profile Twitter accounts, including
President-Elect Barack Obama's, and the official feed for Fox News.

The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he
gained entry to Twitter's administrative control panel by pointing an
automated password-guesser at a popular user's account. The user turned
out
to be a member of Twitter's support staff, who'd chosen the weak
password
"happiness."

Cracking the site was easy, because Twitter allowed an unlimited number
of
rapid-fire log-in attempts.

"I feel it's another case of administrators not putting forth effort
toward
one of the most obvious and overused security flaws," he wrote in an IM
interview. "I'm sure they find it difficult to admit it."

The hacker identified himself only as an 18-year-old student on the East
Coast. He agreed to an interview with Threat Level on Tuesday after
other
hackers implicated him in the attack.

[snip]

Much more:

http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFJZDyzq1pz9mNUZTMRAnZLAJoD0IwRNVCUfLQ3D8AuLiUQSJGKsQCg2xBK
zUkpUVWFsMLwVRxXc2MjRRA=
=PC2v
-----END PGP SIGNATURE-----

-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Twitter Hacker Says Admin Password Was 'Happiness' Paul Ferguson (Jan 06)
- Re: Twitter Hacker Says Admin Password Was 'Happiness' Alex Eckelberry (Jan 07)