Recent Twitter Hack, what can we learn from this?
I tried counting how many articles or blogs that has given space on this recent high profile & embarrassing hacking incident on Twitter, I gave up after the number hit 5.
Apparently Wired magazine broke the news and this was picked up by others in relative short time. See the original post here.
Apparently, the 18 year-old hacker that goes with the nick, GMZ, was actually doing Twitter a service by “pen-test” the website, short for penetration test, which is a process one under went to uncover weaknesses or performance issues before an application goes live.
This brings to question, how did Twitter pass muster in this area before it went live?
One may argue that Twitter is not really an enterprise application and thus do not really need very high security measure in place but this does not hold water when you have high profile people using it. What if someone uses the platform to create panic? If someone abused it and impersonate CNNBRK and posted some untrue story and this goes to the seventy over thousand followers, it will create not just a huge PR disaster and total public chaos.
Should Twitter now incorporate CAPTCHA in it’s login page? This too is no longer fool proof anymore because I have seen how someone uses OCR together with a pen-test tool to automate login sessions with pretty high accuracy.
At the end of the day, no matter how strong one put in place the security counter measures, it will be broken if users chose to use weak and silly passwords like ‘happiness’.
However, I have yet to come across any update from Twitter what they will put in place to tighten the security nor what will happen to GMZ. Maybe the judge will sentence GMZ to 1,000 hours of community service to companies who require pen-testing on their websites, this should put his skill in good & productive use.
