Brute force password hacking has always been a nagging risk to people managing user accounts. It’s a terrible pain trying to manage the burden of providing user friendly logon experiences and secure password control. Do you allow the user to enter an unlimited number of bad passwords or do you cut them off after a couple of bad attempts? Do you require the user to provide personal data to validate their identity for password changes, or do you just send off a new password to their registered email address? It seems that each plan has it’s own benefits and drawbacks that must be considered when providing logon services.
Enter Twitter. I’m sure you have heard of this nifty little company who has experienced crazy growth over the last couple of years to over 5.5 million users. Apparently an 18 year old kid (lets refer to him as ‘the hacker’) discovered a not-so-neat fact that Twitter doesn’t block login attempts after a fixed number of failed authentication attempts. What the video of the hack or read from the article in Wired:
The intrusion began unfolding Sunday night, when GMZ randomly targeted the Twitter account belonging to a woman identified as “Crystal.” He found Crystal only because her name had popped up repeatedly as a follower on a number of Twitter feeds. “I thought she was just a really popular member,” he said.
Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal’s account.
So what was the super complex password that the hacker was able to crack? happiness. That’s right… the keys to the Twitter kingdom consisted of this simple password. Ouch. I would think Crystal’s password now would be “I_Need_A_New_Job!”. That would be plenty complex!
After reading this article I started wondering how vulnerable other sites might be to this type of attack. After all, not everyone wants to bother adding such monitoring capabilities. I went looking at some of the sites that I frequent and found that many of them don’t have any restrictions on authentication attempts. Scary business.
And how hard would it really be to create such a script to attempt a brute force attack like the one that was used by the hacker? Well… How about four simple lines of code attached to a very large dictionary database:
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
WinHttpReq.Open "POST", "http://www.domain.com/login", false
WinHttpReq.SetRequestHeader "Content-Type","application/x-www-form-urlencoded"
WinHttpReq.Send("login=Chris&password=Pa$$w0rd")
I tested this script against a site that I frequent and it worked as expected. So, I guess it’s not that hard to perform such an attack. Now it seems the question isn’t how did this happen to Twitter, but why doesn’t this happen every day?
Thu, Jan 8, 2009
Security, Technology