Twitter Hacked
December 17, 2009 10:59 PM   Subscribe

Twitter (you may have heard of it) has been hacked. At 01:26am EST the DNS records were changed and Twitter is offline, replaced by a message from the Iranian Cyber Army...

Not widely reported as yet, but starting to filter out:
TVNZ
Lucire

It's a DNS attack so Twitter's server not directly involved, but they could potentially be capturing API auto attempts which could expose thousands or millions of users passwords (those using more third-party apps and sites)
posted by sycophant (72 comments total) 3 users marked this as a favorite
 
I was just wondering why it was down...
posted by OrangeSoda at 11:02 PM on December 17, 2009


I am just getting a Firefox timed out message, no message from anti-Twitter revolutionaries.
posted by msjen at 11:03 PM on December 17, 2009


sycophant: I captured a few screengrabs as the hack was in progress (hosting site parking page) and once it was complete - they are on my website necessary self-link.

That's where you're wrong.
posted by paisley henosis at 11:05 PM on December 17, 2009


Also: couldn't have happened to a nicer site. I know it won't be down forever, but I'm going to pretend it will.
posted by paisley henosis at 11:06 PM on December 17, 2009 [1 favorite]


Well I thought the shot of the parking page was interesting - I can't very well not self-link that - but if a mod would like to remove it that's fine by me. If I could edit the post I would.
posted by sycophant at 11:07 PM on December 17, 2009


Twitter's DNS seems fine to me right now. This a regional thing?
posted by breath at 11:08 PM on December 17, 2009


twitter.com is working just fine for me now. I think this is either a huge hoax or BS. I've never heard of any of those sources.
posted by mathowie at 11:08 PM on December 17, 2009


Also, if someone did have access to the site, incoming API requests would not contain your username and password. They've converted to OAuth months ago, so all someone controlling twitter would get is encrypted keys.
posted by mathowie at 11:09 PM on December 17, 2009 [1 favorite]


Not working for me, either. DNS attack, I suspect.
posted by Blazecock Pileon at 11:10 PM on December 17, 2009


Google cache seems to confirm something's up.
posted by Blazecock Pileon at 11:12 PM on December 17, 2009


"It is a snapshot of the page as it appeared on 18 Dec 2009 06:29:38 GMT."
posted by Blazecock Pileon at 11:12 PM on December 17, 2009


If you've got cached DNS you won't see it I suspect.

Tech Crunch

Most thrid-party apps (especially mobile) still use plaintext auth, not OAuth. Even popular sites like Twitpic are largely plaintext (although I think they have OAuth as option now).
posted by sycophant at 11:13 PM on December 17, 2009


Working fine for me now, but wasn't ten minutes ago.
posted by furiousxgeorge at 11:13 PM on December 17, 2009


And here's what I saw when I first tried to access the site while the hack was in process I believe: (Screenshot, on my site) - after the DNS was pointed, but before the landing page was setup I'd guess.
posted by sycophant at 11:15 PM on December 17, 2009


I love it when a plan comes together.
posted by joost de vries at 11:16 PM on December 17, 2009


And then?
posted by blaneyphoto at 11:21 PM on December 17, 2009


Iranian Cyber Army

Odd that there would be a "Cyber Army" devoted to supporting a medieval regime. Like "Space-Age Nano Army For Feudalism!" or something.
posted by Avenger at 11:22 PM on December 17, 2009 [10 favorites]


For what it's worth I am resolving Twitter correctly again now. The Cyber Army has retreated I guess?
posted by sycophant at 11:23 PM on December 17, 2009


Hey, it's working. That was quick.
posted by OrangeSoda at 11:27 PM on December 17, 2009


Fine here in Seattle. Here is my proof:
# nethackaltorg mastrchief (Mon Hum Mal Cha), 4057 points, killed by an orc mummy, while frozen by a monster's gaze 6 minutes ago from API

# nethack.alt.org bot nethackaltorg muffinette (Sam Hum Fem Law), 1658 points, killed by an orc zombie, while fainted from lack of food 10 minutes ago from API
posted by vapidave at 11:33 PM on December 17, 2009 [1 favorite]


They should've just captured the usernames/passwds and forwarded the traffic on to the twitter servers. It might have taken days before anyone got wise.
posted by LordSludge at 11:33 PM on December 17, 2009


So the thing that's immediately clear is that this has nothing to do with Iran, then.
posted by Pope Guilty at 11:35 PM on December 17, 2009


NOW WHICH COUNTRY IN EMBARGO LIST? oh snap
posted by eddydamascene at 11:36 PM on December 17, 2009


Twats.
posted by bardic at 11:42 PM on December 17, 2009


Odd that there would be a "Cyber Army" devoted to supporting a medieval regime.

The Iranian state, even the weirdly religious sections, see themselves as big-time modernisers and industrialisers of an underdeveloped country. They put a big premium on the "Republic" part of the Islamic Republic. Remember, they overthrew a guy who considered himself one of the crowned heads of Europe.
posted by stammer at 11:46 PM on December 17, 2009 [4 favorites]


That wasn't as exciting as I hoped it would be. I mean, it didn't even burst into flames or anything.
posted by From Bklyn at 11:46 PM on December 17, 2009


And nothing of value was lost.
posted by Rhomboid at 11:47 PM on December 17, 2009 [1 favorite]


Apparently it was "hacked" for all of a few minutes. I actually found out about this through a retweet to a really stupid article on a piece-of-shit website called Mashable. They were going on about how this is "unacceptable" for a major site. What?? They recovered from an attack/outage in a few minutes- that's pretty damn impressive actually, and much better than Yahoo, Gmail, and all the other big boys have done in the past.

I'm not really sure what it is about twitter that brings out the knives from a certain strata of online geekdom, but the middle-schoolness of the way they cheer for twitter's failure is getting pretty embarrassing.
posted by drjimmy11 at 12:01 AM on December 18, 2009 [8 favorites]


Why are people acting like a hacking group called "The Iranian Cyber Army" has anything to do with Iran? Are you from the past? This is 2009 FFS.
posted by Pope Guilty at 12:03 AM on December 18, 2009 [4 favorites]


Twitter blog seems to say that everything's working now.
posted by sambosambo at 12:03 AM on December 18, 2009


This is all very confusing and slightly disorienting.

I'm starting to wonder if this is even actually Metafilter now....and if you people are who you say you are.

I'm looking at you "MattHowie."
posted by Skygazer at 12:09 AM on December 18, 2009 [1 favorite]


"The Iranian Cyber Army" ??
Wasn't that a Dr. Who Episode or something?
posted by Poet_Lariat at 12:13 AM on December 18, 2009 [3 favorites]


Hasus Christus. Twitter is down. How will people know what I had for lunch?
posted by sien at 12:16 AM on December 18, 2009 [7 favorites]


They were going on about how this is "unacceptable" for a major site. What?? They recovered from an attack/outage in a few minutes

It's somewhat reasonable. It was presumably poor security that allowed their DNS records to be hijacked in the first place. This combined with the fact that they have a huge number of users who make use of third party apps with plaintext HTTP auth means that had the attackers been motivated they could have harvested user details. In fact if they'd setup their system to simply log data and forward information it probably would have been quite a while longer before they were caught.

In reality these defacement attacks are little more than online grafitti, so I'd say that there's been no serious security implications, but it's not a good sign for a site as high-profile as Twitter.
posted by sycophant at 12:17 AM on December 18, 2009 [4 favorites]


I suppose this is what Twitter gets for trying to hack Iranian Democracy.
posted by seanyboy at 12:19 AM on December 18, 2009


For my peeps: It was pizza and snacks. It's our christmas party. Word.
posted by sien at 12:19 AM on December 18, 2009 [1 favorite]


How will people know what I had for lunch?

Hilarious! Now tell me the one about Dan Quayle!
posted by potch at 12:24 AM on December 18, 2009 [12 favorites]


Hey if y'alls wanna hop in wit me, I'm a-headed Caleeforny way. Heards they gots them some Twitter there, m'yes I did!
posted by mannequito at 12:27 AM on December 18, 2009


CHANGE YOUR LOCATION TO KYOTO JP SO THE IRANIAN ARMY DOESNT KILL ANY MORE AMERICAN BLOGGERS RETWEET PLS #twitterholocaust
posted by naju at 12:38 AM on December 18, 2009 [5 favorites]


My friend is Iranian and happened to stumble upon Twitter's homepage while it was hacked and he took some screens. TechCrunch had the most up-to-the-minute posting on the hack, but the image was different from his; there English in place of the Farsi in TechCrunch's screens. (They seemed to have taken down the image with the English…possibly because people found Google Cache with the Farsi text.)

Here is a screencap with Farsi vs. the screencap with English. (Both are tinypic links.)

Here is the text that I pulled from Google Cache:

بنام خدا
به عنوان یک ایرانی در پاسخ به دخالت های شیطنت آمیز این سرویس دهنده به دستور مقامات آمریکایی در امور داخلی کشورم )
این سایت به عنوان هشدار هک می شود


Which translates (via Google Translate) into:
    Name of God As an Iranian response to this intervention sly server command in the internal affairs of my country and American authorities) This site is a warning Hk
So this is kind of odd to me. The two texts are quite different from each other, and I'm not sure what to think. Either way it makes no difference on what transpired; it would just be odd if someone decided to "fake" the translation.

(Is there a way to connote popping my MeFi cherry? First post.)
posted by skidknee at 12:49 AM on December 18, 2009 [4 favorites]


MY FRIEND EMBARGO ME I EMBARGO USA WHY NO?
posted by qvantamon at 12:55 AM on December 18, 2009 [1 favorite]


My first impulse, being a former unruly Internet kid myself, was "cool! What a feather in the cap for a script kiddie". But then I made the connection that Iranian + Anti-Twitter probably = pro-Ahmadinejad. At best they're misguided kiddies trying to suppress political speech, at worst they're actually connected to Ahmadinejad.
posted by DecemberBoy at 1:00 AM on December 18, 2009 [1 favorite]


Or, even more likely than any of that: the people who did this aren't even Iranian, and the "Iranian Cyber Army" was conceived in an IRC channel by American teenagers about 4 or 5 hours before the attack.
posted by DecemberBoy at 1:02 AM on December 18, 2009 [3 favorites]


This combined with the fact that they have a huge number of users who make use of third party apps with plaintext HTTP auth means that had the attackers been motivated they could have harvested user details.

it seems that apps using the API don't usually pass passwords in plaintext - apiwiki.twitter.com isn't resolving for me right now, though.


In fact if they'd setup their system to simply log data and forward information it probably would have been quite a while longer before they were caught.

Their goals were graffiti, not totally subverting the site. I imagine acting as a proxy for Twitter would take a lot of bandwidth, & that Twitter might notice that their usual traffic had been replaced by an apparent DOS attack from one place.
posted by Pronoiac at 1:03 AM on December 18, 2009


it seems that apps using the API don't usually pass passwords in plaintext

Yeah, but the API is... kinda bad. For simple twitterbots, you'll pull much less hair out just using curl to post the tweet to http://twitter.com/statuses/update.xml, and that uses plain old HTTP auth. There's a lot of scripts out there that work that way.
posted by DecemberBoy at 1:19 AM on December 18, 2009 [1 favorite]


(the exact command line, if anyone's interested, is
curl -s -u username:password -d status="AphexBen is watching Taxi Driver" http://twitter.com/statuses/update.xml
)
posted by DecemberBoy at 1:23 AM on December 18, 2009 [4 favorites]


It looks like Twitter supports secure connections, so, considering the context, DecemberBoy, I think switching that http to https is a good idea. It looks like curl properly verifies the SSL certificates. And I'd probably add "-S" so error messages are shown.
posted by Pronoiac at 2:50 AM on December 18, 2009


Crap, I got lazy and re-used my twitter password on other sites. Guess I'm going to have to change some passwords today.
posted by BrotherCaine at 3:23 AM on December 18, 2009


According to their FAQ (Google cache), they'd like to disable basic HTTP authentication, it's here for now & not going away without a few months' warning. I don't see a list of OAuth-using Twitter clients, or a way of checking them without snooping the connection.
posted by Pronoiac at 3:44 AM on December 18, 2009


This is not really a great post. But, since it's here: Mashable cracks me up. "Twitter must be held accountable!" To whom, you schmucks, some blogger?
posted by fixedgear at 4:42 AM on December 18, 2009 [1 favorite]


Ahabdinijad?
posted by felix betachat at 4:58 AM on December 18, 2009 [1 favorite]


U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST ;)
Take Care.
Oh that's nice, the Iranian Cyber Army is telling me to "take care"-- just like my grandmother but without the cheek pinch.
posted by Secret Life of Gravy at 5:00 AM on December 18, 2009


This is bad, but as people have said above, http auth is the real problem (compounded by the tendancy for password reuse), because your user's credentials can be stolen even if Twitter's DNS is not compromised. How about just modifying the A record for Twitter at the coffee shop where some a-list users hang out? Wait a while then start injecting your own ads, or see if they reused those passwords on gmail, etc. Not to mention countries with state-owned ISPs with enforced proxies.
posted by These Premises Are Alarmed at 5:07 AM on December 18, 2009


I don't see a list of OAuth-using Twitter clients, or a way of checking them without snooping the connection.

Any client using OAuth makes you go through the OAuth Deny/Allow screen instead of entering your password. Any client that asks for your password is not using OAuth.
posted by cillit bang at 5:09 AM on December 18, 2009


And Twitter is successful because it's so pervasive. Did I have a Twitter client running last night on one of 3 computers at home, 2 at work, or on my blackberry? I don't really know.
posted by These Premises Are Alarmed at 5:10 AM on December 18, 2009


Heh. If that's the current state of their security, it sounds like it might be a little while before I get an answer to this tweet I sent them yesterday:

"@twitter: Why does Twitter's https login page now lead to a non-https homepage?"
posted by limeonaire at 6:03 AM on December 18, 2009


Wait. Enhance that.
posted by poppo at 6:30 AM on December 18, 2009 [6 favorites]


And yet, the world keeps turning.
posted by brand-gnu at 6:36 AM on December 18, 2009


WE PUSH THEM IN EMBARGO LIST ;)

Oh Noes! Our twitters is embargoed!
posted by furiousxgeorge at 6:43 AM on December 18, 2009


We shall go on to the end, we shall fight in Twitter, we shall fight on the routers and switches, we shall fight with growing confidence and growing strength in the air, we shall defend our Tweets, whatever the cost may be, we shall fight on the Google, we shall fight on the /b/ boards, we shall fight in the message boards and in the IRC, we shall fight in the Usenet; we shall never disconnect, and even if, which I do not for a moment believe, this Twitter or a large part of it were slow and buggy, then our Internet beyond the tier two providers, armed and guarded by the network admins, would carry on the struggle, until, in God's good time, the Web 2.0, with all its power and might, steps forth to the rescue and the liberation of the old."
posted by geoff. at 8:11 AM on December 18, 2009 [2 favorites]


I felt a great disturbance in the Net, as if millions of voices suddenly cried out in terror and were suddenly silenced.

I fear something tweetable has happened.
posted by Western Infidels at 9:18 AM on December 18, 2009 [1 favorite]


I prefer it when terrorists used keyboards rather than suicide vests.
posted by sswiller at 10:00 AM on December 18, 2009


Well I can attest that it happened, since I was up at 3 AM debugging Twitter OAuth integration for a site of mine and the API went non-responsive for at least an hour; how much of that was due to bad cached DNS I don't know.

Any client using OAuth makes you go through the OAuth Deny/Allow screen instead of entering your password. Any client that asks for your password is not using OAuth. — cillit bang

That's not true; the client may not ask directly, but unless the user has a current session cookie at the service provder's site it still requires the user to log in on a page at the service provider's site that the client redirects them to, and if the DNS is spoofed then that page could be provided and the credentials collected by a bad actor.

The content partner can force the login page to be shown even if the user has a current session at the service provider's site, which is actually more secure since it means I can't wander over to your workstation while you're at the water cooler and OAuth you for a bunch of stuff.

In the example I was testing last night, click the "Sign in with Twitter" icon here, and you'll be asked for your username and password, ostensibly by twitter.com. But it could be anyone who was spoofing the DNS and the OAuth server API.
posted by nicwolff at 10:08 AM on December 18, 2009


REF Lucire - I've followed the founder Jack Yan's blog for some years now, its a legitimate New Zealand based magazine
posted by infini at 10:27 AM on December 18, 2009 [1 favorite]


otoh, my laptop died two days ago, and the desktop just three hours ago (this is mom's borrowed machine) - wonder if there's a connection?

... the light went off across the landscape...
posted by infini at 10:28 AM on December 18, 2009


And yet, the world keeps turning.

Yeah, but that'd be true for a huge range of events, starting with 'I stubbed my toe' and ending somewhere around 'total global thermonuclear war'.

World keeps spinning. It just don't care either way.

I put losing my ability to read what's going on with Neal Patric Harris, Nathan Fillion and Milla Jovovich closer to the apocalyptic side of the scale.
posted by quin at 10:33 AM on December 18, 2009


Oh right, like you're even actually Quin. And th rest of you heathens, yeah go ahead and pretend you people are real mefites and this is the real Metafilter.

Pffftt.....

Don't BS a BSer, Iranian Cyber (CLown) Army. I will blow all your DNS's up. I will admin-ijihad your secret ports....consider yourseves pwned!!11!!

Free Kevin!
posted by Skygazer at 11:15 AM on December 18, 2009 [1 favorite]


WHO RULE BARTERTOWN?
posted by ErikaB at 5:20 PM on December 18, 2009


Who cares for you? You're nothing but a pack of cards!
posted by Sidhedevil at 6:04 PM on December 18, 2009


That's not true; the client may not ask directly, but unless the user has a current session cookie at the service provder's site it still requires the user to log in on a page at the service provider's site that the client redirects them to, and if the DNS is spoofed then that page could be provided and the credentials collected by a bad actor.

Pronoiac was asking how to tell if an app is using OAuth or HTTP Basic Auth. I don't think it's inaccurate to say that all HTTP apps will ask for your password directly in their settings page/dialog, and all OAuth apps won't (though you may be asked to log in during the OAuth authorization process).
posted by cillit bang at 2:10 AM on December 19, 2009


Ah, then you're right — I misunderstood. You said "OAuth Deny/Allow screen instead of entering your password" which could be confusing since the Deny/Allow may require password entry.
posted by nicwolff at 2:04 PM on December 19, 2009


I'm wondering which, if any, iPhone apps use OAuth &/or SSL properly, to avoid possible man-in-the-middle attacks. I was (and still am) fuzzy on OAuth.
posted by Pronoiac at 2:48 PM on December 19, 2009


« Older Photo essay: Women at risk in central Asia's...   |   Seriously, I'll pay you back. Newer »


This thread has been archived and is closed to new comments