Twitter’s Fight to Survive An information security analysis on the growing social network By Tracy Boyer

Twitter Threats: An Overview Publicly launched July, 2006 2006-2007 “over capacity” issues 2008-2009 multitude of hacks, breaches, attacks and other security issues

Publicly launched July, 2006

2006-2007 “over capacity” issues

2008-2009 multitude of hacks, breaches, attacks and other security issues

2009: Rise to fame; fall to hacks March 10th: Ellen joins the network “ Tis my first twitt-er. Or tweet? Twit? Or tweet? "Twit or tweet everybody." Is this anything? - http://twitter.com/TheEllenShow/status/1306777707 April 17th: Oprah joins the network “ HI TWITTERS . THANK YOU FOR A WARM WELCOME. FEELING REALLY 21st CENTURY .” - http://twitter.com/Oprah/status/1542224596 “ The more prominent you are -- person, organization, or government -- the more likely you are to attract targeted attacks, especially if you’re suddenly thrust into the limelight.” - Bruce Schneier, Beyond Fear Photo credit: http://trueslant.com/everett/2009/04/22/ellens-tweets-are-real-are-yours /

March 10th: Ellen joins the network

“ Tis my first twitt-er. Or tweet? Twit? Or tweet? "Twit or tweet everybody." Is this anything? - http://twitter.com/TheEllenShow/status/1306777707

April 17th: Oprah joins the network

“ HI TWITTERS . THANK YOU FOR A WARM WELCOME. FEELING REALLY 21st CENTURY .” - http://twitter.com/Oprah/status/1542224596

“ The more prominent you are -- person, organization, or government -- the more likely you are to attract targeted attacks, especially if you’re suddenly thrust into the limelight.” - Bruce Schneier, Beyond Fear

Jan. 2009: Phishing Scam “ This particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email says something like, "hey! check out this funny blog about you..." and provides a link. That link redirects to a site masquerading as the Twitter front page. Look closely at the URL field, if it has another domain besides Twitter but looks exactly like our page then it's a fraud and you should not sign in.” - Twitter blog http://blog.twitter.com/2009/01/gone-phishing.html

“ This particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email says something like, "hey! check out this funny blog about you..." and provides a link. That link redirects to a site masquerading as the Twitter front page. Look closely at the URL field, if it has another domain besides Twitter but looks exactly like our page then it's a fraud and you should not sign in.” - Twitter blog

http://blog.twitter.com/2009/01/gone-phishing.html

Jan. 2009: Impersonation Scam Fox News said that "Bill O'Reily is gay” Rick Sanchez said he's "high on crack and might not be coming into work today." Obama sent out an affiliate link to a survey with a gas card prize Britney Spears' made a lewd post about her anatomy ReadWriteWeb: http://www.readwriteweb.com/archives/twitter_security_collapses_oba. php Twitter blog: http://blog.twitter.com/2009/01/monday-morning-madness.html

Fox News said that "Bill O'Reily is gay”

Rick Sanchez said he's "high on crack and might not be coming into work today."

Obama sent out an affiliate link to a survey with a gas card prize

Britney Spears' made a lewd post about her anatomy

ReadWriteWeb: http://www.readwriteweb.com/archives/twitter_security_collapses_oba. php

Twitter blog: http://blog.twitter.com/2009/01/monday-morning-madness.html

Feb. 2009: “Don’t Click” attack “ Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.” - CNET News http://news.cnet.com/8301-1009_3-10162812-83.html

“ Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.”

- CNET News

http://news.cnet.com/8301-1009_3-10162812-83.html

March, 2009: Cell-phone spoof “ The authentication weakness allowed anyone who knew your mobile number to spoof messages to your Twitter.com home page so that they appeared to have come from you, provided your mobile phone number was set up to post and/or receive Twitter messages. That's because Twitter determines which home page should display new messages by checking the "sender ID" field, the area in all mobile text messages that includes the sender's telephone number.” - Washington Post http://voices.washingtonpost.com/securityfix/2009/03/twitter_security_h.html

“ The authentication weakness allowed anyone who knew your mobile number to spoof messages to your Twitter.com home page so that they appeared to have come from you, provided your mobile phone number was set up to post and/or receive Twitter messages. That's because Twitter determines which home page should display new messages by checking the "sender ID" field, the area in all mobile text messages that includes the sender's telephone number.” - Washington Post

http://voices.washingtonpost.com/securityfix/2009/03/twitter_security_h.html

June, 2009: Personal account hacks “ An administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.” - Twitter blog http://blog.twitter.com/2009/07/twitter-even-more-open-than-we-wanted.html http://www.forbes.com/2009/07/15/twitter-security-internet-technology-security-twitter.html http://mashable.com/2009/07/15/twitter-security-meltdown/

“ An administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.” - Twitter blog

http://blog.twitter.com/2009/07/twitter-even-more-open-than-we-wanted.html

http://www.forbes.com/2009/07/15/twitter-security-internet-technology-security-twitter.html

http://mashable.com/2009/07/15/twitter-security-meltdown/

July, 2009: Log-in limitation “ A limit to Twitter authentication calls has broken some applications, confusing users and frustrating developers. The microblogging platform now only allows 15 requests to confirm a user’s credentials per hour. Previously there was no published limit and some applications were using well beyond 15. The reason for the change is well-intentioned on Twitter’s part. Given unlimited attempts, a hacker can guess many passwords using a dictionary attack. Access to some high profile accounts could put you in front of thousands or millions of followers.” - Programmable Web http://blog.programmableweb.com/2009/07/20/twitter-api-change-highlights-security-issues/

“ A limit to Twitter authentication calls has broken some applications, confusing users and frustrating developers. The microblogging platform now only allows 15 requests to confirm a user’s credentials per hour. Previously there was no published limit and some applications were using well beyond 15.

The reason for the change is well-intentioned on Twitter’s part. Given unlimited attempts, a hacker can guess many passwords using a dictionary attack. Access to some high profile accounts could put you in front of thousands or millions of followers.” - Programmable Web

http://blog.programmableweb.com/2009/07/20/twitter-api-change-highlights-security-issues/

Aug. 2009: Ability for cross-browser scripting Ability “to insert JavaScript code into tweets simply by adding some code to the field where an application developer would normally link to a product website. There are all sorts of malicious things people could have done to exploit the bug, like steal session cookies, create a Twitter worm or even infect unaware visitors with malware, so it’s safe to say this was a massive security threat.” - TechCrunch http://www.techcrunch.com/2009/08/26/massive-twitter-security-problem-not-resolved-just-yet/

Ability “to insert JavaScript code into tweets simply by adding some code to the field where an application developer would normally link to a product website. There are all sorts of malicious things people could have done to exploit the bug, like steal session cookies, create a Twitter worm or even infect unaware visitors with malware, so it’s safe to say this was a massive security threat.” - TechCrunch

http://www.techcrunch.com/2009/08/26/massive-twitter-security-problem-not-resolved-just-yet/

Aug. 2009: Hacks, scams, & attacks oh my! “ In the past 24 hours, we've been contending with a variety of attacks that continue to change in nature and intensity. We're working to restore access to apps built on the Twitter platform that were affected by defensive measures—there was some overcompensation on our part as we tune our system to deal with this scale of attack.” - Twitter blog http://blog.twitter.com/2009/08/adventure-continues.html

“ In the past 24 hours, we've been contending with a variety of attacks that continue to change in nature and intensity. We're working to restore access to apps built on the Twitter platform that were affected by defensive measures—there was some overcompensation on our part as we tune our system to deal with this scale of attack.”

- Twitter blog

http://blog.twitter.com/2009/08/adventure-continues.html

Sept. 2009: New Terms of Service “ Ownership—Twitter is allowed to "use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute" your tweets because that's what we do. However, they are your tweets and they belong to you.” - Twitter blog http://blog.twitter.com/2009/09/twitters-new-terms-of-service.html Impersonation, Trademark, and Terms of Service policies: http://twitter.zendesk.com/forums/26257/entries/18311

“ Ownership—Twitter is allowed to "use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute" your tweets because that's what we do. However, they are your tweets and they belong to you.”

- Twitter blog

http://blog.twitter.com/2009/09/twitters-new-terms-of-service.html

Impersonation, Trademark, and Terms of Service policies: http://twitter.zendesk.com/forums/26257/entries/18311

Three more months in 2009 … WHAT NEXT?? the popular use of link shorteners like TinyURL that lead users to unknown destinations … a single login system that some hope will be fixed with the arrival of Oauth … “ Few people would characterize the popular and influential microblogging service Twitter as "secure." Hack attacks on Twitter, and Twitter users, appear to be increasing” - CNET News http://news.cnet.com/8301-17939_109-10162649-2.html

the popular use of link shorteners like TinyURL that lead users to unknown destinations …

a single login system that some hope will be fixed with the arrival of Oauth …

“ Few people would characterize the popular and influential microblogging service Twitter as "secure." Hack attacks on Twitter, and Twitter users, appear to be increasing” - CNET News

http://news.cnet.com/8301-17939_109-10162649-2.html

10 People You Won’t See on Twitter Anymore The Impersonator The Bot The Naked Chick The Serial Abuser The Squatter The Slimy Salesman The Hashtag Spammer The Plagiarizer The Über Oversharer or Bully The Faker Source: Mashable, http://mashable.com/2009/09/13/twitter-spammers/

The Impersonator

The Bot

The Naked Chick

The Serial Abuser

The Squatter

The Slimy Salesman

The Hashtag Spammer

The Plagiarizer

The Über Oversharer or Bully

The Faker

Lesson to others out there … Don’t be cheap … use some of your venture capital to invest in high-end security measures and frequent audits! “ Bob West, an information security expert, says that had Twitter invested in security early on, it might have avoided security problems. Twitter doesn't appear to have any employees focused solely on security issues, at least not at the management level.” Forbes: http://www.forbes.com/2009/07/15/twitter-security-internet-technology-security-twitter.html

Don’t be cheap … use some of your venture capital to invest in high-end security measures and frequent audits!

“ Bob West, an information security expert, says that had Twitter invested in security early on, it might have avoided security problems. Twitter doesn't appear to have any employees focused solely on security issues, at least not at the management level.”

Forbes: http://www.forbes.com/2009/07/15/twitter-security-internet-technology-security-twitter.html