Twitter has settled a federal complaint over a pair of 2009 breaches in which hackers were able with relative ease to gain access to user accounts, including one used by President Barack Obama.
The Federal Trade Commission had accused Twitter of promising privacy and security to users while, it alleged, protections were so lax hackers were able to take over accounts with little effort. The final consent order, announced Friday, does not impose fines for what amounts to a truth in advertising violation. But it does require that Twitter tighten its security system, perform security audits every two years for the next decade and not make deceptive security claims.
Twitter agreed to the punishments, but admitted no violation of law.
Among the sloppy practices outlined in the FTC order (.pdf):
- From July 2006 to July 2009, nearly all Twitter employees had total access to the Twitter system, including the ability to reset passwords, read users' direct messages and nonpublic tweets and send tweets in any user's name.
- Twitter employees used the public Twitter login page to get into these admin accounts and there were no controls on how strong such passwords had to be or how long they lasted. Twitter did not lock down accounts after multiple wrong password guesses.
On Jan. 4, 2009, a hacker took advantage of these flaws using an automated password guessing tool (a so-called dictionary attack) to figure out an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. Once in, the hacker reset passwords, passed them along to other hackers and sent out Tweets from the president's account — one promised Obama's followers $500 in free gasoline for filling out a survey — as well as from Fox News.
Another attack followed shortly after that one.
"Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic," the commission said in its order.
When asked for comment, Twitter pointed to a blog post from last year when the settlement was proposed, where it said that it had already implemented many of the settlement's requirements.
Twitter's security remains suboptimal. Due to how it handles logins, users can have their accounts temporarily hijacked over Wi-Fi using a simple browser extension called FireSheep. The most recent prominent victim of that kind of attack was Ashton Kutcher, who had messages sent through his account by a fellow attendee at the TED conference last week.
Twitter turned on the ability to use Twitter over HTTPS last week, and in a tweet said more options were coming soon.
See Also:- FTC Clears Twitter In Obama Hacking Incident
