Twitter #Hacked

theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."

quick and dirty programming

[slmdmd]

java app => cron: reboot/restart apache/jboss/tomcat : every week

Safari and Firefox

[icebike]

Who reads twitter with a web browser anymore? All quarter million of these accounts?
Or was that avenue used to gain access on a server to a password databases or what?

TFA says

hackers gained access to Twitter's internal systems and stole information, compromising 250,000 accounts

They then reference an advisory from the U.S. Department of Homeland Security that users disable Java on their computers.

Maybe Twitter should follow DHS?

This sounds like half the story. And press accounts aren't much more informative. Seems everyone is playing this java angle
pretty close to the vest.

Re: Safari and Firefox

[Anonymous Coward]

Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

Re: Safari and Firefox

[tlhIngan]

Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

They'd have to be both - as in a Mac running 10.6 or earlier since Apple removed Java from the OS and blocked old versions. Heck, a couple of days ago Apple blocked ALL versions of Java (they set the minimum version to 0.0.01 above the current one - Oracle just released it that was 0.0.02 above their previous version).

Apple basically kicked Java to the curb with Flashback - they removed their version of Java from the OS (by blocking it, requiring install of the Oracle one). And the Java plugin for Safari is disabled by default - you can enable it, but I believe it disables itself automatically 30 days later, so you have to re-enable it again.

Re:

[MacDork]

Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

They'd have to be both - as in a Mac running 10.6 or earlier since Apple removed Java from the OS

Twitter is staffed by web developers. Web developers typically use Java. I think you might be missing a third possiblility.

Re:

[Mashiki]

Who reads twitter with a web browser anymore?

Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

Re:Safari and Firefox

[icebike]

Who reads twitter with a web browser anymore?

Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

Re:Safari and Firefox

[93 Escort Wagon]

Yeah, reading tweets on a little phone screen. That's a step forward, yes it is.

Re:

[Anonymous Coward]

Yeah, reading tweets on a little phone screen. That's a step forward, yes it is.

Originally Twitter was supposed to be a SMS broadcast service to make it easy to tell your bros you were at the bar. 140 chars = worked on your shitty 2007 dumbphone. That was a step forward.

All the witty one-liner stuff, celebrities and politicians spewing talking-points, journalists spamming urls, etc, was an unanticipated side-effect.
 

Re:

[Anonymous Coward]

Reading tweets period is a massive step backwards. I'm thrilled we could slave to produce this "internet" you all are glued to, reading.....tweets. Awesome. Next time I'm going to engineer new lollipops, that seems to be more your(and the other tweet-consuming masses) speed.

Re:

[kdemetter]

And how exactly is that not using a web browser ? It may not look the same way, but it does the same thing : it connects to a website ( using HTTP protocol ) , thus allowing you to browse the web. So it's still a browser.

However, being a browser doesn't mean it has to support applets.

Re:

[jkflying]

There's an App for that...

Re:

[IANAAC]

There's an App for that...

That uses HTTP...

Re:

[mypalmike]

>> There's an App for that...

> That uses HTTP...

to make API calls...

Re:

[IANAAC]

>> There's an App for that...

> That uses HTTP...

to make API calls...

As any web browser would do.

Re:

[jkflying]

The entire point being that it isn't being accessed with a 'browser' that has a Java plugin.

Re:

[RCL]

So what. If I spend at least 8 hours daily in front of a (desktop) computer with an abundant screen space (two large monitors), why should I read tweets on my mobile device(s)? When I'm commuting, I don't have much time for that either.

Re:

[Tridus]

Yeah, and overnight all the PCs in the world vanished like magic!

Re:

[Mashiki]

Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

Well someone already made the point, on smartphones and that tiny ass little screen. I mean really now, as you get older that tiny screen is going to get mighty tough to look at. So tell me again, why would I want to read something in a 4" to 8" area, when I can look at it on a 22" to 27" area in much better resolution without straining my eyes.

Re:

[icebike]

If you need 22 inches to read a 148 character tweet you might as well get a screen reader to read them aloud for you. Or better yet, buy some glasses.

Re:

[Albert71292]

Who reads twitter with a web browser anymore?

Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

Not everyone owns a smartphone. I've never owned ANY kind of cellphone. Mainly read Twitter at the webpage on my desktop. If you want to know WHY I don't own a cellphone, it's because I'd find it an unnecessary expense. Haven't found a need for one.

Re:

[hkmwbz]

Smartphones don't have web browsers?

Re:

[sgunhouse]

Sounds to me like they have found Java exploits posted to compromised accounts, at a guess. They're advising people to disable Java so that their personal computers aren't compromised as well..

How much personal information is required to set up a Twitter account? I don't use it, but I'd guess not much. So what the hackers gained is 1/4 of a million places to post links to exploit sites - places that may have a wide audience (twitter followers).

Re:Safari and Firefox

[foniksonik]

And access to any sites using Twitter OAuth credentials.

Re:

[NotBorg]

Who reads twitter with a web browser anymore?

Anyone clicking a link in a Twitter keep alive e-mail. Recently they've taken a play from Facebook and started spamming anyone they think might be loosing interest in their network. If you're not actively engaged with a certain usage pattern you get mail.

Re:

[antdude]

I read Twitter in my web browsers. I don't own a mobile phone. :P

Re:

[helix2301]

When they announce these hacks I would like to know how many are active accounts and not just an account with an egg and one tweet.

Re:

[icebike]

Egg and One Tweet doesn't necessarily mean inactive. Just a listener.

I know several people who use EOT accounts to follow breaking news, and maybe a sports team or two, but never ever add to the din of pointless babble.

Re:Discrimination

[jones_supa]

At least Firefox did the right thing and doesn't run plugins automatically anymore by default, with a recent enough Flash being an exception.

Re:

[pandronic]

Someone forgot to take their meds this morning ...

Re:

[Anonymous Coward]

You really shouldn't be calling other users sadomasochistic when you are running NoScript which breaks every other site. You signed up for this, so bend-over bitchboy, and take your configuration problems harder.

captcha: virgins

Re:

[Stewie241]

Yes, and they did the right thing by allowing you to choose to still run Java. As opposed to Safari where it is blocked and they give you no indication as to how to go about reenabling it.

There are two things here that Firefox solves better:
1. They allow you to choose to override the denial so that you can opt to trust a particular applet.
2. They allow you to still use Java but you have to specifically enable/trust the applets that you need, rather than it being all or nothing.

Re:

[Anonymous Coward]

Only Steve Jobs took substantive, albeit indirect, steps to eliminate these obvious threats to computer security.

If by "took steps" you mean "died," then yeah you are right.

Re:

[Anonymous Coward]

Sometimes you gotta lead by example.

Re:

[Tridus]

Windows is far more secure than Java these days. There isn't a lot of active "load a webpage and your computer is owned" exploits going around, unlike for Java where it's a weekly thing.

Re:

[mypalmike]

> Windows is far more secure than Java these days. There isn't a lot of active "load a webpage and your computer is owned" exploits going around

To be fair, the typical Java exploit actually goes "load a webpage, Java downloads a Windows executable, runs it, and your computer is owned".

And The Washington Post

[guttentag]

A New York Times story today adds The Washington Post [nytimes.com] to the list of American news organizations whose newsroom computers were found to be communicating with computers in China on their own.

For those keeping score:

• The New York Times
• The Washington Post
• The Wall Street Journal
• Bloomberg News

Re:

[guttentag]

How was my post off-topic when the summary for the discussion ended with this?

Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."

Moderation abuse? Or are you going to claim the Chinese hacked your Slashdot account to mod my comment down.

Re:

[GiantMolecularCloud]

Or are you going to claim the Chinese hacked your Slashdot account to mod my comment down.

How do you know they didn't?

I wouldn't put it past them quite frankly.

Re:

[Anonymous Coward]

Begun the cyber war has.

Re:

[Tempest_2084]

Begun the cyber war has.

The seaman looks up and maneuvers the boat toward shore. He cries out "I have waited three ages for someone to say those words and save me from sailing this endless ocean. Please accept this gift. You may find it useful!"

Re:

[quetwo]

Maybe the hackers just wanted to read the news before it was re-written for Chinese consumption...

Does it mean...

[BitterOak]

I'm having trouble following this. If I understand correctly, if I had Java disabled in my browser already, then my Twitter account is safe? It's really hard to tell from the article.

Re:Does it mean...

[mrbluze]

I'm having trouble following this. If I understand correctly, if I had Java disabled in my browser already, then my Twitter account is safe? It's really hard to tell from the article.

If you don't have a twitter account, you're safe. This exploit was not related to what is on your browser, it was on Twitter's servers.

Re:

[jones_supa]

Makes me still wonder why the Twitter representative started to talk about disabling Java?

Re:

[sumdumass]

I'm wondering how Java led to a server being exploited unless it was a computer inside their network that allowed remote access and an attack on the servers from within.

Re:Does it mean...

[Tridus]

Someone inside Twitter's network had Java enabled, and got attacked. Hackers are now inside Twitter and can start poking around.

"manager of network did security not specify"

[bill_mcgonigle]

Well, one thing is for sure - the exploit was written with a context-free grammar.

Re:"manager of network did security not specify"

[VortexCortex]

Well, one thing is for sure - the exploit was written with a context-free grammar.

I one our free overloards context welcome for.

Decode shift-pop order via.

grammar-free context!, not context-free grammar!

[girlinatrainingbra]

Re:"manager of network did security not specify"
.
You say:the exploit was written with a context-free grammar.
.
I say: the article was written with a grammar-free context!
;>)

bad things do happen in threes

[gQuigs]

really slashdot? Yay for supersition..

I guarrantee that more than three organizaions have been cracked in the last week.

It reminds me somewhat of Tim Minchin at minute 2 in this video: https://www.youtube.com/watch?v=ET1-_PeExMs [youtube.com]

/rant

Re:bad things do happen in threes

[VortexCortex]

Protip: Right-click video, then "Copy Video URL at Current Time.". Like So: https://www.youtube.com/watch?v=ET1-_PeExMs#t=116s [youtube.com]

Re:

[Tridus]

"Old" as in from two days ago?

Or maybe it's another unpatched Java flaw being used. Those are a dime a dozen.

And...

[Anonymous Coward]

nothing of value was lost

Corporate Responsibility

[rueger]

I don't know (or specifically care) if I'm among that quarter million users, but it would have been peachy keen if Twitter had taken five minutes to e-mail their friggin' users to tell them.

Re:Corporate Responsibility

[rwven]

They DID. My account was compromised. I got an email.

I call foul.

[rwven]

I call foul.

I don't even have Java installed....and yet my twitter account was hacked due to a java vulnerability? I got one of the emails saying my account had been compromised...but according to this, that wouldn't have been possible.

Someone's mistaken...or lying.

Re:

[rwven]

Also...I -only- use Chrome, and nothing else. Yet this was supposedly a Safari and FF specific problem?

Re:

[rwven]

Ah! That makes a lot more sense.

Re:

[ScentCone]

You're confused. It wasn't a Java hack on YOUR computer, it was a Java hack on a machine internally at Twitter, via which accounts were snooped. Relax.

Re:

[rwven]

*relaxes*

Thanks for the clarification. I'm feeling a little sheepish now.

Rubbish

[Frankie70]

If a security hole in Java running on a Twitter user's browser allowed someone to get to Twitter's internal data (i.e. not just the data of the user whose browser who had Java) - then it's a security hole in Twitter.

I think Twitter is being dishonest here.

Re:

[prunedude]

Exactly. Can someone explain how this is NOT the case?

That would mean...

[thetoadwarrior]

How can java and safari be to blame? Unless of course an employee was surfing porn or something questionable and his PC was hijacked but I would say the problem is with twitter not doing more to protection their employee machines and network.

Re:

[Tridus]

According to an article here a couple days ago, online ads are more dangerous than porn. Considering how many flaws there are in Java, all you need to do is get some code on any website someone visits and you can root the machine. The idea that the Twitter user was doing anything inappropriate at all is just speculation.

Re:

[thetoadwarrior]

I agree it is speculation and you're right about ads. But either way, I'm glad I use Linux without Java.

Clear text passwords

[drginge]

Its unclear why twitter are resetting passwords. Is it simply a precaution as the password data is encrypted and useless (as it should be)? Surely in this day and age Twitter aren't storing passwords in clear text?

Re:

[quetwo]

According to their report, they were encrypted with different salt. But given enough time and computing resources. I imagine that they would go after the better known celebrities first, but you never know who would be caught in the crossfire. Expiring the passwords was a good move since even if the passwords are decrypted, they can't get into your twitter account.

Soft targets?

[cabazorro]

The pattern reveals media and social companies as the low hanging fruit. As long as they don't do a big hit on the 3 big ones: Apple, Google, Amazon then there is not much cause for alarm.

Java vulnerabilities in the BROWSER?

[mr_mischief]

No. Internal systems that are secure do not get compromised by rouge clients.

Could it be that someone used Java in the browsers to snatch credentials from users on their local machines? Sure.

Could someone infect a browser and that cause Twitter's network to be insecure? No.

Call me web 1.0, but...

[R3nCi]

This is an awfully good illustration of one of the many reasons why I don't drink the social-networking Kool Aid. I make exceptions for Goodreads and RateYourMusic, plus a few forum accounts, but that's it.

Re:

[G-News.ch]

actually the sentence should be "...manager of network security did not specify...", so no, they didn't mean "did not specify security".