A teenage hacker has admitted to the hijacking of several Twitter accounts.
The hacker, who goes by the handle GMZ, said that he gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. That user turned out to be a member of Twitter's support staff, and they had chosen the password ‘happiness'.
He claimed that cracking the site was easy as Twitter allowed an unlimited number of rapid-fire log-in attempts. He randomly targeted the Twitter account of a woman named ‘Crystal', who he found because her name popped up repeatedly as a follower on a number of Twitter feeds.
Using a tool he authored himself, he launched a dictionary attack against the account that automatically used English words and let the program run overnight. When he checked the results on Monday morning, he found he was in Crystal's account – who was also a Twitter staffer.
Therefore he now had the ability to access any other Twitter account by simply resetting an account holder's password through the administrative panel. He also realised he hadn't used a proxy to hide his IP address, potentially making him traceable. He said he hadn't used a proxy because he didn't think the intrusion was important enough to draw law-enforcement attention, and "didn't think it would make headlines."
He claimed that he decided not to use other hacked accounts personally, instead posting a message to the Digital Gangster forum, which is used by hackers and former hackers, and offered access to any Twitter account by request.
Among the requests were US President-Elect Barack Obama, singer Britney Spears account, CNN correspondent Rick Sanchez and Digg founder Kevin Rose. Shortly after GMZ posted his original message to Digital Gangster, the site's administrator deleted it, along with the responses from members asking for access to other accounts.
GMZ claimed that he did not access any of the high-profile accounts himself, and did not send out any of the bogus tweets. He believes that he was in Twitter for a couple of hours before the company became aware of his access and locked him out.
The hacker identified himself only as an 18-year-old student on the East Coast. He agreed to an interview with the Threat Level website after other hackers implicated him in the attack. He said he'd never even heard of Twitter until he saw someone mention it on YouTube.
Twitter co-founder Biz Stone confirmed for Threat Level that the intruder had used a dictionary attack to gain access to the administrative account, but wouldn't confirm the name of the employee who was hacked, or the password. He also wouldn't comment on how long the intruder was in the Twitter account resetting passwords before he was discovered.
He claimed that the company is doing: “a full security review on all access points to Twitter. More immediately, we're strengthening the security surrounding sign-in. We're also further restricting access to the support tools for added security.”
David Harley, director of Malware Intelligence at ESET, said: “There have been unkind words on some specialist lists about Twitter's competence: all I can say is, that for an organisation that seems to be having a pretty bad year so far, they are making a serious effort to acknowledge and address their security problems, and deserve credit for it.”