Teenage Twitter hackers uncover serious security flaw

Twitter may need a new fail whale – one to represent a security faux pas.

If your handle on Twitter is short, simple or just cool-sounding, you may become the victim of a new hacking trend. Although these hackers aren’t after users’ credit card or bank information, they’re still making a decent buck on the Twitter handle black market.

Daniel Dennis Jones, a media producer and recent victim of a Twitter account hijacking, recounted his experience on Storify. While his quest started off as a simple investigation into what exactly happened to his account, it turned into a trip “down a rabbit hole of security vulnerabilities, username black markets and teen crushes.”

Wait, there’s a Twitter black market?
In his investigation, Jones uncovered a conversation between account hijackers that revealed the first motivation for the breaches. As with many cyber criminal activities, money is a big incentive. And, as it turns out, a simple Twitter handle can fetch a decent price. For example, Jones’ own handle “@blanket” was put on sale for $60. Meanwhile “@captain” was stolen and sold for $100, and the hackers said that a 2-character Twitter name could sell for as much as $200. Jones also noted that the hackers appeared to be teenagers and frequently swapped hijacked account information in order to impress girls.

Twitter’s epic security failure
Things got a little more interesting as Jones explored the issue in-depth. He had a friendly chat with a 14-year-old hacker going by the alias “Moon,” who explained how he did it. Some of the fault lies with Twitter, as Moon explained, because the social network’s captcha system filters by IP address rather than by account.

This means that the system will force the user to answer a captcha puzzle after a series of failed login attempts from the same IP address. However, an infinite number of attempts on the same account can be made, as long as they appear to come from different IPs – which is easy to do by using proxy servers. This is further exemplified by the fact that it took the 14-year-old hacking newbie only two weeks to figure out how to crack the system.

“I have to say, Moon seems down to Earth, as much as a (probably) teenager can be,” Jones wrote. “Not malicious, simply exploiting vulnerabilities. I still shake my head at how a kid would come to feel comfortable with this behavior, ethically. I mean exploiting security vulnerabilities on a microblogging site to make chump change?”

Should Twitter have to improve layered security by upgrading its captcha system? What action should be taken against the teenage hackers? Let us know in the comments section!

Scott Cornell

When he’s not knee deep in blogging and all things tech, Scott spends his free time playing ultimate Frisbee and watching foreign films. An expert in emerging tech trends, Scott always has his ear to ground for breaking news related to IT security.