Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter #Hacked

Posted by timothy on from the coz-it's-a-hashtag-see dept.

theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."

69 of 111 comments (clear)

  1. quick and dirty programming by slmdmd · · Score: 2

    java app => cron: reboot/restart apache/jboss/tomcat : every week

  2. Safari and Firefox by icebike · · Score: 4, Insightful

    Who reads twitter with a web browser anymore? All quarter million of these accounts?
    Or was that avenue used to gain access on a server to a password databases or what?

    TFA says

    hackers gained access to Twitter's internal systems and stole information, compromising 250,000 accounts

    They then reference an advisory from the U.S. Department of Homeland Security that users disable Java on their computers.

    Maybe Twitter should follow DHS?

    This sounds like half the story. And press accounts aren't much more informative. Seems everyone is playing this java angle
    pretty close to the vest.

    --
    Sig Battery depleted. Reverting to safe mode.
    1. Re: Safari and Firefox by Anonymous Coward · · Score: 3, Insightful

      Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

    2. Re:Safari and Firefox by Mashiki · · Score: 1

      Who reads twitter with a web browser anymore?

      Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

      --
      Om, nomnomnom...
    3. Re:Safari and Firefox by icebike · · Score: 4, Funny

      Who reads twitter with a web browser anymore?

      Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

      Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

      --
      Sig Battery depleted. Reverting to safe mode.
    4. Re:Safari and Firefox by 93+Escort+Wagon · · Score: 4, Insightful

      Yeah, reading tweets on a little phone screen. That's a step forward, yes it is.

      --
      #DeleteChrome
    5. Re: Safari and Firefox by tlhIngan · · Score: 4, Informative

      Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

      They'd have to be both - as in a Mac running 10.6 or earlier since Apple removed Java from the OS and blocked old versions. Heck, a couple of days ago Apple blocked ALL versions of Java (they set the minimum version to 0.0.01 above the current one - Oracle just released it that was 0.0.02 above their previous version).

      Apple basically kicked Java to the curb with Flashback - they removed their version of Java from the OS (by blocking it, requiring install of the Oracle one). And the Java plugin for Safari is disabled by default - you can enable it, but I believe it disables itself automatically 30 days later, so you have to re-enable it again.

    6. Re:Safari and Firefox by sgunhouse · · Score: 1

      Sounds to me like they have found Java exploits posted to compromised accounts, at a guess. They're advising people to disable Java so that their personal computers aren't compromised as well..

      How much personal information is required to set up a Twitter account? I don't use it, but I'd guess not much. So what the hackers gained is 1/4 of a million places to post links to exploit sites - places that may have a wide audience (twitter followers).

    7. Re:Safari and Firefox by kdemetter · · Score: 1

      And how exactly is that not using a web browser ? It may not look the same way, but it does the same thing : it connects to a website ( using HTTP protocol ) , thus allowing you to browse the web. So it's still a browser.

      However, being a browser doesn't mean it has to support applets.

      --
      Slipping shoelaces ?
    8. Re:Safari and Firefox by foniksonik · · Score: 3, Interesting

      And access to any sites using Twitter OAuth credentials.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
    9. Re:Safari and Firefox by Anonymous Coward · · Score: 1

      Yeah, reading tweets on a little phone screen. That's a step forward, yes it is.

      Originally Twitter was supposed to be a SMS broadcast service to make it easy to tell your bros you were at the bar. 140 chars = worked on your shitty 2007 dumbphone. That was a step forward.

      All the witty one-liner stuff, celebrities and politicians spewing talking-points, journalists spamming urls, etc, was an unanticipated side-effect.
       

    10. Re:Safari and Firefox by RCL · · Score: 1

      So what. If I spend at least 8 hours daily in front of a (desktop) computer with an abundant screen space (two large monitors), why should I read tweets on my mobile device(s)? When I'm commuting, I don't have much time for that either.

      --
      Coding etudes
    11. Re:Safari and Firefox by Tridus · · Score: 1

      Yeah, and overnight all the PCs in the world vanished like magic!

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    12. Re:Safari and Firefox by Mashiki · · Score: 1

      Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

      Well someone already made the point, on smartphones and that tiny ass little screen. I mean really now, as you get older that tiny screen is going to get mighty tough to look at. So tell me again, why would I want to read something in a 4" to 8" area, when I can look at it on a 22" to 27" area in much better resolution without straining my eyes.

      --
      Om, nomnomnom...
    13. Re:Safari and Firefox by jkflying · · Score: 1

      There's an App for that...

      --
      Help I am stuck in a signature factory!
    14. Re:Safari and Firefox by Anonymous Coward · · Score: 1

      Reading tweets period is a massive step backwards. I'm thrilled we could slave to produce this "internet" you all are glued to, reading.....tweets. Awesome. Next time I'm going to engineer new lollipops, that seems to be more your(and the other tweet-consuming masses) speed.

    15. Re:Safari and Firefox by NotBorg · · Score: 2

      Who reads twitter with a web browser anymore?

      Anyone clicking a link in a Twitter keep alive e-mail. Recently they've taken a play from Facebook and started spamming anyone they think might be loosing interest in their network. If you're not actively engaged with a certain usage pattern you get mail.

      --
      I want this account deleted.
    16. Re:Safari and Firefox by antdude · · Score: 1

      I read Twitter in my web browsers. I don't own a mobile phone. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    17. Re:Safari and Firefox by icebike · · Score: 1

      If you need 22 inches to read a 148 character tweet you might as well get a screen reader to read them aloud for you. Or better yet, buy some glasses.

      --
      Sig Battery depleted. Reverting to safe mode.
    18. Re:Safari and Firefox by IANAAC · · Score: 1

      There's an App for that...

      That uses HTTP...

    19. Re: Safari and Firefox by MacDork · · Score: 1

      Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

      They'd have to be both - as in a Mac running 10.6 or earlier since Apple removed Java from the OS

      Twitter is staffed by web developers. Web developers typically use Java. I think you might be missing a third possiblility.

    20. Re:Safari and Firefox by mypalmike · · Score: 1

      >> There's an App for that...

      > That uses HTTP...

      to make API calls...

      --
      There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
    21. Re:Safari and Firefox by IANAAC · · Score: 1

      >> There's an App for that...

      > That uses HTTP...

      to make API calls...

      As any web browser would do.

    22. Re:Safari and Firefox by jkflying · · Score: 1

      The entire point being that it isn't being accessed with a 'browser' that has a Java plugin.

      --
      Help I am stuck in a signature factory!
    23. Re:Safari and Firefox by Albert71292 · · Score: 1

      Who reads twitter with a web browser anymore?

      Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

      Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

      Not everyone owns a smartphone. I've never owned ANY kind of cellphone. Mainly read Twitter at the webpage on my desktop. If you want to know WHY I don't own a cellphone, it's because I'd find it an unnecessary expense. Haven't found a need for one.

      --
      "A Bird In The Hand Will Poop On Your Wrist"-Benny Hill,1982
    24. Re:Safari and Firefox by helix2301 · · Score: 1

      When they announce these hacks I would like to know how many are active accounts and not just an account with an egg and one tweet.

      --
      http://www.thetechnologygeek.org
    25. Re:Safari and Firefox by icebike · · Score: 1

      Egg and One Tweet doesn't necessarily mean inactive. Just a listener.

      I know several people who use EOT accounts to follow breaking news, and maybe a sports team or two, but never ever add to the din of pointless babble.

      --
      Sig Battery depleted. Reverting to safe mode.
    26. Re:Safari and Firefox by hkmwbz · · Score: 1

      Smartphones don't have web browsers?

      --
      Clever signature text goes here.
  3. Re:Discrimination by jones_supa · · Score: 4, Informative

    At least Firefox did the right thing and doesn't run plugins automatically anymore by default, with a recent enough Flash being an exception.

  4. And The Washington Post by guttentag · · Score: 5, Informative
    A New York Times story today adds The Washington Post to the list of American news organizations whose newsroom computers were found to be communicating with computers in China on their own.

    For those keeping score:
    • The New York Times
    • The Washington Post
    • The Wall Street Journal
    • Bloomberg News
    1. Re:And The Washington Post by Anonymous Coward · · Score: 2, Funny

      Begun the cyber war has.

    2. Re:And The Washington Post by GiantMolecularCloud · · Score: 1

      Or are you going to claim the Chinese hacked your Slashdot account to mod my comment down.

      How do you know they didn't?

      I wouldn't put it past them quite frankly.

    3. Re:And The Washington Post by quetwo · · Score: 1

      Maybe the hackers just wanted to read the news before it was re-written for Chinese consumption...

    4. Re:And The Washington Post by Tempest_2084 · · Score: 1

      Begun the cyber war has.

      The seaman looks up and maneuvers the boat toward shore. He cries out "I have waited three ages for someone to say those words and save me from sailing this endless ocean. Please accept this gift. You may find it useful!"

  5. Does it mean... by BitterOak · · Score: 1

    I'm having trouble following this. If I understand correctly, if I had Java disabled in my browser already, then my Twitter account is safe? It's really hard to tell from the article.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:Does it mean... by mrbluze · · Score: 3, Insightful

      I'm having trouble following this. If I understand correctly, if I had Java disabled in my browser already, then my Twitter account is safe? It's really hard to tell from the article.

      If you don't have a twitter account, you're safe. This exploit was not related to what is on your browser, it was on Twitter's servers.

      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    2. Re:Does it mean... by jones_supa · · Score: 1

      Makes me still wonder why the Twitter representative started to talk about disabling Java?

    3. Re:Does it mean... by sumdumass · · Score: 1

      I'm wondering how Java led to a server being exploited unless it was a computer inside their network that allowed remote access and an attack on the servers from within.

    4. Re:Does it mean... by Tridus · · Score: 4, Informative

      Someone inside Twitter's network had Java enabled, and got attacked. Hackers are now inside Twitter and can start poking around.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  6. "manager of network did security not specify" by bill_mcgonigle · · Score: 5, Funny

    Well, one thing is for sure - the exploit was written with a context-free grammar.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:"manager of network did security not specify" by VortexCortex · · Score: 4, Funny

      Well, one thing is for sure - the exploit was written with a context-free grammar.

      I one our free overloards context welcome for.

      Decode shift-pop order via.

  7. And... by Anonymous Coward · · Score: 3, Insightful

    nothing of value was lost

  8. Re:bad things do happen in threes by VortexCortex · · Score: 4, Informative

    Protip: Right-click video, then "Copy Video URL at Current Time.". Like So: https://www.youtube.com/watch?v=ET1-_PeExMs#t=116s

  9. Re:Discrimination by pandronic · · Score: 2

    Someone forgot to take their meds this morning ...

  10. Re:Discrimination by Anonymous Coward · · Score: 1

    Only Steve Jobs took substantive, albeit indirect, steps to eliminate these obvious threats to computer security.

    If by "took steps" you mean "died," then yeah you are right.

  11. grammar-free context!, not context-free grammar! by girlinatrainingbra · · Score: 1

    Re:"manager of network did security not specify"
    .
    You say:the exploit was written with a context-free grammar.
    .
    I say: the article was written with a grammar-free context!
    ;>)

  12. Re:Discrimination by Anonymous Coward · · Score: 1

    You really shouldn't be calling other users sadomasochistic when you are running NoScript which breaks every other site. You signed up for this, so bend-over bitchboy, and take your configuration problems harder.

    captcha: virgins

  13. Re: Did Yoda write this? by G-News.ch · · Score: 1

    actually the sentence should be "...manager of network security did not specify...", so no, they didn't mean "did not specify security".

  14. I call foul. by rwven · · Score: 1

    I call foul.

    I don't even have Java installed....and yet my twitter account was hacked due to a java vulnerability? I got one of the emails saying my account had been compromised...but according to this, that wouldn't have been possible.

    Someone's mistaken...or lying.

    1. Re:I call foul. by rwven · · Score: 1

      Also...I -only- use Chrome, and nothing else. Yet this was supposedly a Safari and FF specific problem?

    2. Re:I call foul. by ScentCone · · Score: 1

      You're confused. It wasn't a Java hack on YOUR computer, it was a Java hack on a machine internally at Twitter, via which accounts were snooped. Relax.

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re: I call foul. by rwven · · Score: 1

      Ah! That makes a lot more sense.

    4. Re:I call foul. by rwven · · Score: 1

      *relaxes*

      Thanks for the clarification. I'm feeling a little sheepish now.

  15. Re:Corporate Responsibility by rwven · · Score: 4, Informative

    They DID. My account was compromised. I got an email.

  16. Rubbish by Frankie70 · · Score: 4, Informative

    If a security hole in Java running on a Twitter user's browser allowed someone to get to Twitter's internal data (i.e. not just the data of the user whose browser who had Java) - then it's a security hole in Twitter.

    I think Twitter is being dishonest here.

    1. Re:Rubbish by prunedude · · Score: 1

      Exactly. Can someone explain how this is NOT the case?

  17. Re:Discrimination by Anonymous Coward · · Score: 1

    Sometimes you gotta lead by example.

  18. That would mean... by thetoadwarrior · · Score: 1

    How can java and safari be to blame? Unless of course an employee was surfing porn or something questionable and his PC was hijacked but I would say the problem is with twitter not doing more to protection their employee machines and network.

    1. Re:That would mean... by Tridus · · Score: 1

      According to an article here a couple days ago, online ads are more dangerous than porn. Considering how many flaws there are in Java, all you need to do is get some code on any website someone visits and you can root the machine. The idea that the Twitter user was doing anything inappropriate at all is just speculation.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    2. Re:That would mean... by thetoadwarrior · · Score: 1

      I agree it is speculation and you're right about ads. But either way, I'm glad I use Linux without Java.

  19. Re:Discrimination by Tridus · · Score: 1

    Windows is far more secure than Java these days. There isn't a lot of active "load a webpage and your computer is owned" exploits going around, unlike for Java where it's a weekly thing.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  20. Re:WTF does by Tridus · · Score: 1

    "Old" as in from two days ago?

    Or maybe it's another unpatched Java flaw being used. Those are a dime a dozen.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  21. Clear text passwords by drginge · · Score: 1

    Its unclear why twitter are resetting passwords. Is it simply a precaution as the password data is encrypted and useless (as it should be)? Surely in this day and age Twitter aren't storing passwords in clear text?

    1. Re:Clear text passwords by quetwo · · Score: 1

      According to their report, they were encrypted with different salt. But given enough time and computing resources. I imagine that they would go after the better known celebrities first, but you never know who would be caught in the crossfire. Expiring the passwords was a good move since even if the passwords are decrypted, they can't get into your twitter account.

  22. Re:Discrimination by Stewie241 · · Score: 1

    Yes, and they did the right thing by allowing you to choose to still run Java. As opposed to Safari where it is blocked and they give you no indication as to how to go about reenabling it.

    There are two things here that Firefox solves better:
    1. They allow you to choose to override the denial so that you can opt to trust a particular applet.
    2. They allow you to still use Java but you have to specifically enable/trust the applets that you need, rather than it being all or nothing.

  23. Soft targets? by cabazorro · · Score: 1

    The pattern reveals media and social companies as the low hanging fruit. As long as they don't do a big hit on the 3 big ones: Apple, Google, Amazon then there is not much cause for alarm.

    --
    - these are not the droids you are looking for -
  24. Java vulnerabilities in the BROWSER? by mr_mischief · · Score: 1

    No. Internal systems that are secure do not get compromised by rouge clients.

    Could it be that someone used Java in the browsers to snatch credentials from users on their local machines? Sure.

    Could someone infect a browser and that cause Twitter's network to be insecure? No.

  25. Call me web 1.0, but... by R3nCi · · Score: 1

    This is an awfully good illustration of one of the many reasons why I don't drink the social-networking Kool Aid. I make exceptions for Goodreads and RateYourMusic, plus a few forum accounts, but that's it.

  26. Re:Discrimination by mypalmike · · Score: 1

    > Windows is far more secure than Java these days. There isn't a lot of active "load a webpage and your computer is owned" exploits going around

    To be fair, the typical Java exploit actually goes "load a webpage, Java downloads a Windows executable, runs it, and your computer is owned".

    --
    There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.