« Securing A Website With Client SSL Certificates | Main | [Server] Nessus vulnerability scanner for networks and systems »
Friday
May012009

[WebAppSec] Twitter's admin panel compromised

DateFriday, May 1, 2009 at 2:19PM

One of the best known Rails application, Twitter, was compromised very recently. A French hacker claimed that he gained access to Twitter's admin panel at https://admin.twitter.com/. Twitter confirmed that an outside individual gained access to details of several accounts, including accounts from Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.

It seems that the hacker gained access to a Yahoo Mail account of a Twitter employee by answering his "secret question" and thus he could reset the password and access his mail account. In one of the e-mails he found the Twitter administration password.

Here is list of must-have security countermeasures for admin panels:

  • Don't make the admin panel publicly available unless you really have to! It seems that admin.twitter.com was secured with a .htaccess file. I recommend to at least allow access only from several IP addresses.
  • Don't make admin panels pretty, make sure they are Cross-Site Scripting and CSRF-safe! A simple message to the support panel containing Cross-Site Scripting is sometimes already enough to gain access to the panels.
  • Forgotten passwords are a huge problem. Resetting it with a simple answer to an easy question is definitely not enough. Sending a password-reset URL to an e-mail address is currently one of the best solutions (but it isn't totally secure).
  • It seems that everyone with access to the Twitter admin panel may do everything. Why can everyone download "emails to gzipped CSV file"? Why not require to re-enter another password for sensitive actions or use a role-based admin user model?
  • Someone suggested using authentication tokens that provide a randomly generated key upon login

I wrote about this already a while ago.

AuthorHeiko | Comment5 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (5)

Am I the only one that wonders why Twitter are not using SSL client certificates yet?

For someone who should have a fair amount of *nix brain power, it should be fairly simple for them to set up, and will go a LONG way of securing access to their admin panel.

The techonology has been around since forever, and is supported by most browsers and servers alike.

May 1, 2009 | Unregistered CommenterMorgan Roderick

Actually the admin panel is secured with SSL already as you can see in the screenshots. Just this isn't much help if someone got the password for the panel. SSL encrypts the transfer between the server and the client, only.

May 2, 2009 | Registered CommenterHeiko

@Heiko, actually the ssl client certificates @Morgan is talking about are more similar to ssh keys than https ssl certs http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500

May 5, 2009 | Unregistered CommenterRichie Vos

@Richie and @Morgan: Oh yes, it seems that I didn't see the "client" before it. That is a very good point. Thanks.

May 5, 2009 | Registered CommenterHeiko

ArticlesLocation.com Providing Free Articles Service for Multiple Purpose. You Can Find Many Article Categories to Fulfilled Your Need.Free Article

August 22, 2010 | Unregistered Commenterarticlesloca€û]

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.