Multiple security breaches have rattled Silicon Valley’s two most popular social networking sites over the past few days.
Early in the week a hacker gained administrative access to Twitter, viewed details of several high-profile accounts — including those of Ashton Kutcher and President Obama — and posted screenshots on the web. The behind-the-scenes glimpse revealed the account holders’ email addresses, IP addresses and phone numbers.
Troublingly, the hacker didn’t use sophisticated techniques such as exploiting XSS or SQL vulnerabilities. Instead, the hacker simply gained access to the Yahoo Mail account of a Twitter administrator by resetting her password though answering the “secret questions”. Then, in the mailbox, the hacker found her Twitter admin password.
In a blog post acknowledging the breach, Twitter co-founder Biz Stone wrote: “We will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.”
The infiltration was reminiscent of a similar hack in January, when an 18-year-old admitted to hijacking several high-profile Twitter accounts, including those of then President-Elect Obama and the feed for Fox News.
Then on Wednesday a phishing attack hit Facebook, infiltrating inboxes with a message that appeared to be from Facebook, but instead directed users to log in to http://fbaction.net. Those who did log in gave phishers access to their account information, enabling the attack to spread. In just a short while, “fbaction.net” became the second-most-popular trending topic on Google Trends.
As Facebook worked to contain the fbaction.net attack, another phishing scam hit. This one appeared as a message from a friend with the subject “Look at this!”, and directed users to http://fbstarter.com. This time, “fbstarter.com” became the single-most-popular trending topic on Google Trends, as alarm about the attack spread across the web.
In both cases, Facebook acted quickly to minimise the damage. The company deleted the offending URLs from walls and inboxes, and blocked access to the URL if someone found an active link. On Thursday Facebook announced a partnership with MarkMonitor AntiFraud Solutions, a move that should boost its ability to defend against phishing attacks. It also said it would pursue civil and possibly criminal cases against the phishers.
“It’s been a pretty busy week for social networks, and not in a good way,” said Mary Landsman, senior security researcher for ScanSafe.
Ms Landsman doesn’t believe these hackers have malicious intent. “I think they’re trying to shed light on just how insecure these sites are,” she said. “I don’t endorse their tactics at all, but in these instances, it was more about trying to bring these problems to light.”
Still, with more and more companies and politicians using social networking services, Ms Landsman said high-profile individuals should think twice before signing up to interact.
“Personnel in companies that have sensitive positions should not be Twittering,” she said. “Or they should do it with the assumption that all the information used to create that account could be exposed. There are real potential security risks if that admin account is penetrated.”
