how twitter got hacked...


no technical hacking here; very, very simple stuff; please read (especially K)

Step 1:

When you register a new gmail account you give them a "secondary" email.  If you forget your password you can ask gmail to send a "password reset" link to this secondary email.

In this case, the hacker found that

  - his victim had a "hotmail" address as a secondary
  - he had not used that address for years
  - so hotmail had expired/deleted it (I don't blame them on this; even if it is MS!)
  - so anyone was free to register that address again
  - so the hacker simply registered it himself
  - thus getting the "password reset" email for his victim's gmail account :-)

Step 2:

The second part is even simpler.  He needed to reset the password back to what the owner **currently** uses, otherwise the owner would get suspicious (if he was unable to log in next time).  And he needed to do this very quickly.

  - he looked through all the saved email on the hacked gmail account
  - found a few passwords helpfully sent back by various services to which the victim had subscribed
  - gambled that the victim uses the same password for everything
  - and reset the gmail password to that

Step 3:

Once he was sure everything was OK, he just used that same password to access the victim's **official** twitter email.


Who needs cryptography, buffer overflows, complicated shellcode, rootkits, and all that techie stuff when users can be this naive :-)  I mean there's not a byte of code or a mangled URL or a malicious Javascript or even a single HEX character in this whole thing!!!

Moral of the story:

  - never use the same password for more than one service.
  - delete registration emails from websites if they contain your password.  Be sure to empty trash (or "delete forever") too
  - in any case, change your passwords once in a while

No comments: