Last week, it came to light that a large number of sensitive and internal Twitter documents had been compromised and sent to the tech news site TechCrunch. Over the course of a few days, TechCrunch selectively published a decent amount of moderately interesting information. But even more interesting than the content of the stolen information was how the hacker responsible for the break was able to carry out his attack. Not surprisingly, a tad of social engineering mixed with a loophole in how Hotmail handles old emails were important parts of the equation.
TechCrunch was able to start up a dialogue with the responsible hacker, nicknamed Hacker Croll, and get some down and dirty details regarding just how he went about procuring hundreds of private Twitter documents.
Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.
At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.
So simple an 8th grader could have easily of pulled this off. And what’s up with Hotmail recycling email address’s? I understand wanting to free up inactive and seemingly dead accounts, but how do you reconcile that with security considerations such as the one outlined above?
So let that be a lesson to ya. Don’t use Hotmail! And if I may digress, I remember that as late as 2006, Hotmail still didn’t save users “sent mail” unless it was a reply to an email sent from another user. How ridiculous is that?
You can check out the full story behind the Twitter attack over at TechCrunch.
July 21st, 2009 at 6:05 pm
??? You mean: Password reminders sent over email are a bad idea—Google outsourced their security to Microsoft and any other email provider. Bad idea. Score: MSFT: 0 (for recycling old email addresses) GOOG: 0 (for allowing password reminders at all).