With all the chatter about the current security issues surrounding Twitter, its workforce and the cloud-based Google apps they use, a new security issue has popped up that makes it trivially easy for anyone to access the Twitter servers directly. The problem? The password to the servers was, literally, “password.”
Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.” Although no user accounts were compromised or accessible, the vulnerability speaks to a greater culture of lax security at the startup, and may be indicative of how earlier breaches possibly occurred.
With that in mind, we have some friendly advice for Twitter. For instance, it would be wise if in the future Twitter insiders do not use the password “password” for the back ends of its systems or one of its co-founder’s names (Jack) as a username.
Why do we think this advice could prove helpful? Well without taking this type of precaution, before you know it malicious hackers or just plain mean people who have it in for you could do some serious damage and/or embarrass you in front of all your friends and followers by invading your personal digital territory.
Again, for the record, this has absolutely nothing to do with the other security breach we’re publishing ongoing reports about and which Twitter has already publicly responded to. We notified Twitter about this breach as well, and waited until they took action to close it off before posting.
Screen shots below.
That’s what happens when you build a site with ruby on rails. You get lazy, your site fails and little kids know your password
You’re a fool. That has nothing to do with the tool you use. When you let someone who doesn’t understand security to build your site, they’ll leave so many holes open and it has nothing to do with the tool.
You’re just talking out of your ass.
i said that the reason is ‘they get lazy’. you might learn to read one day…
If that’s the case then you probably shouldn’t have mentioned Ruby on Rails at all.
isn’t that the reason for their failures tho’ ? that’s why i mentioned it.
And what the heck does a selection of PASSWORD have anything to do with Rails?
You’re still an ass.
You must use rails…what a tool.
And who chose ‘password’ as a password should be fired on the spot. And the whole team should be sent to take security course, including the founders.
When you have the data of millions of peope you don’t fool around.
Well your an OG.
Did someone say Ruby on FAIL?
Aren’t some routers and servers set with PASSWORD as a DEFAULT?
Means the Romper Room Krew couldn’t read the manual long enought to see the warning to change it.
I just read this, and you’re definitely blaming Ruby on Rails, NOT people getting lazy.
More sound pressure. Only if you like Stinky as a nickname.
Oh, it’s ARSE. Be proper.
You forgot “on Windows” =). Java would never have this problem.
Java? How could Java avoid obvious password on an application?
Because it’s a coffee bean
OHSNAP
O_o
RoR is only still used at Twitter for parts of the front end. They have been moving to Scala for a while now.
Tell them to use a Mercedes truck not a Fiat.
Methinks thou might partake in copious quantities of this glorious roast and ground drink. Quaff! Consume! Libate!
I didn’t think anyone could match the idiotic “Rails can’t scale” so called ‘argument’, but you just have. Well done!
I love how their site admin section is just as crappy as the rest of the site.
Wow. Just wow.
Yeah. Unbelievable.
Indeed. This goes to show that Twitter really is a piece of trash software with don’t know shit founders.
More google juice for the comment spammer known as Havoc Marketing.
Why is everyone angry and calling each other names in this comment forum?
Shut up you pansy!
No, you shut up sissy faggot – bizstone
Robert is such a sore LOSER. He’s been crying ever since he got his stupid ass kicked by Angie.
hahahaha, gotta love the anonymous comments all coming from Havok
Robert, I am not anonymous. That’s my real name – Derek Owens. I read the old comments. I still remember where Angie made you live with Geico’s cave man. Hahaha….. Still funny.
Well Mr. Robert Basil, judging by your standard we all will be considered as a comment spammer.
Let me see, is your name linked to a MLM promoting website like Havok? Does not look like it.
I looked at his site. Its not exactly MLM. Its more about Internet Marketing products. By the way you spelled Havoc wrong.
Yeah, what’s up with that Robert? Are you on a crusade against Internet Marketers? Calling them spammers. I’m bit offended and outraged because I’m an Internet Marketer myself. Think before you comment.
Craziness, I guess they should change the password…
Are you looking for a job? Because you have the kind of incisive security mind Twitter could use about now. You should totally give them a call (if they haven’t contacted you yet)!
Well that was very “obvious” of them.
shh, don’t give away the new password!
This is sick in a very interesting and unique way that makes me wanna puke while wondering why startups with the size of twitter don’t hire a security expert for weekend audits… just for fun.
Well, when you’re born out of the epic cool that is the Ruby on Rails community, all that “security crap” is just stuff old people programming Java think about.
This has nothing to to with RoR. It’s infrastructure logins not bugs in code
I think this is less about RoR or hiring security experts than it is a common mistake by n00bs that was made by people who should know better.
Because then they wouldn’t be able to buy Aeron chairs and new cars on VC money.
Time to grow up and implement some basic security measures in the Twitterverse.
Stay Classy Twitter.
ROFLMAO.
“you responded swiftly and promptly changed the password that got us and our reader into the search admin to something stronger”
They’ve changed it to pa55word
they probably changed the password to “love” (the most used pw on the planet).
Actually, somebody told them to change the password to something else, so they changed it to “somethingelse”.
Actually, “love” is the 4th most common password. 123456 is the most common.
wanna bet?
With most sites enforcing at least a 6-character password length now, I bet ‘love’ has fallen out of favor from whatever list or db you’re looking at. Googling most common passwords agrees that ‘password’ and ‘123456′ are now the most common.
‘bumlove’ meets the 6 character rule and is easy to remember!
I’ve got the same combination on my luggage!
My luggage now.
HAHAHAHAHAHAH
LOL. WHAT DID I SAY YESTERDAY. Weak ass passwords.
Total hacks.
I’m waiting for the, “We’ve lost all of the database data, and our backups don’t work” announcement.
So what? In the past twitter has been down for days, has failed technically more than anything i can remember, yet people love the site.
goes to show, the content is not important. it’s the medium that matters
Did you mean ‘It’s the content that matters, not the medium’?
If it was the medium, everyone would have left long ago.
He’s not sure what he meant, cause he’s kind of a tool.
Metric tool
Someone check to see if they changed the PW to 12345.
lol…….. Cant say these guys may do.
Amazing, that’s the same combination of my luggage!
Hey, how’d you know the combination on my luggage?
lol
classic ref!
This is a bit off topic but does TechCrunch not care about publishing images they clearly have no rights to (often without any form of attribution)?
The whole idea of copyright, ethics, seems to be a novel concept that you guys can’t be bothered with.
They didn’t care about violating Cal. Penal Code § 502 by hacking in and taking a look, so why worry about something as uncool as copyrights?
Yea seriously, copyrights are so ’90s. We are now reaching the ’10s.
Pretty soon techcrunch will start killing babies just so they can publish the photos first
Hey, if they don’t do it, somebody else will.
I think Skitzzo’s comment was in respect to the screen grab from the copyrighted Paramount Pictures property called ‘Star Trek: The Next Generation’
You can get this shit on Google and it’s use is protect under fair usage and is clearly used under editorial expression…
Do you think they use cool pix to whore the ad bux? You illin’ soldier.
This doesn’t even come close to violating copyright laws.
I can’t speak for every instance, but in this case it should be journalistic fair use.
Very cool.
Privacy is dead… cuz no one was caring for her. Boohoo…
Gotta admit — I’ve used “password” as my password before too, though I suppose that’s also why I should never run my own startup.
Using password for your home computer is slightly different than using password for a database that contains millions of users.
RTFA, it was the password to the tending topics admin page, not their database.
IRRELEVANT. You honestly think if they use “password” for a password, that they don’t use equally worthless passwords on other systems?
Everybody knows that you should use passw0rd instead of password.
Don’t you mean Passw0rd? That way you have a capital.
P@ssw0rd and a symbol.
+1. See, the power of crowdsourcing is remarkable. Twitter should crowdsource passwords.
Apparently the original name for Twitter was twttr. and according to the details on this image:
http://www.flic...rsey/182613360/
He got the idea from being a livejournal member.
I think I actually like twitter more (besides the security flaws which I’m sure they’ll fix) now that I know a little bit more about the history.
I’m COMPLETELY the last to realize some of this stuff, huh.
That photo was posted in 2006. Not exactly proof that the notebook entry was created in 2000. Jack can claim whatever he wants. Nobody cares.
admin.twitter.com
was the admin panel….. and password was “password”
he has found from mails of employee
This is illustrative of sloppy coding and poor architecture that plagued the early Twitter codebase. And why do they have the ability to blacklist trending topics, anyway? Just in case they don’t like them?
Makes you wonder what kind of developers they hired…
I ‘m actually surprised they are not -inventing- the topics themselves. there must be a tool for that
“And why do they have the ability to blacklist trending topics, anyway? Just in case they don’t like them?”
Exactly. There are plenty of reasons to do so. Spam, for one. I don’t think #someonekillinsertpublicfigure would go over too well either.
What if #gorillapenis is one of them? I’d want that blacklisted…
http://news.cne...0279618-26.html
Damn. Now I have to changes all my passwords now that TechCrunch gave it away.
I don’t know why anyone is surprised. Since their inception, Twitter has shown nothing but technical incompetence. How they have received so much undeserved investment and press is beyond me. It’s obvious that very few people, if anyone, at Twitter has any idea what they are doing. The entire operation is a mess. Smoke and mirrors.
Ev Williams is a glorified used car salesman.
+1 Million.
I dont understand this sentence: “[...] its workforce and the cloud-based Google apps they use[...]”
What does this mean? Is twitter hosted on Googles cloud or what? What does it have to do with GoogleApps? Can anyone tell me?
I think the hacker got access to email accounts of twitter employees and also other web based apps
Ah, I got the answer from this blogpost of twitter: http://blog.twi...-we-wanted.html
So twitter as a company uses GoogleApps for their inhouse communication.
No they used Google Docs and that is how when one of the employees email was hacked, they were able to get in to their Google Docs and download all their private documents.
And don’t use abc123 either! lol..
James F
Free Twitter Backgrounds
Total craziness. I’m speechless (yet again) about Twitters obvious ignorance towards the most basic security rules.
Well, it seems that they have not changed it yet
I think twitter is at a size now where they should be able to afford a security officer to ensure common security standards across their systems and workforce.
Putting their business at at risk with such basic mistakes is simply… irresponsible. Oh well, I guess facebook is having a good day.
No joke. Would you guys like an assessment?
It doesn’t matter what size of a company you are running. You have a fucking $45 million dollars in your account. You can easily hire a team of security officers.
Yup, if UR a tweeter probably should consider your as not being secure … if it’s not this it’s bound to be the next thing … btw, does any real tweeter care about privacy … conceptually telling everyone what you’re doing isn’t so private … so the hell with security. Hehe.
Not really as a tweeter, but twitter as a biz should.
For the next password, you should use 1234 and if you’re advanced 123456
That’s what you get for hiring kids to do a professionals job.
“Amateur Hour at Twitter” is so last year. I guess priorities change when you hook your star up to celebrities.
Twitter will learn from this and be stronger. i’d like to read an article about top 10 things learned from this twittergate security fiasco. For e.g. #10 ‘don’t use no brainer passwords’, etc.
And with all those twitter apps out there, you probably have apps accessing your account that you forgot about. Especially if you notice your followers go up or down dramatically.
Change your password(s) often, like at least once a month.
I thought Twitter hired a bunch of highly touted Ops personnel awhile ago? Security should be at the top of mind for any qualified Ops person, regardless if it was “just” their Search Product interface.
Any software company that wants to be taken seriously needs to have security as top of mind throughout the organization. It’s not exactly a new thing…you can’t sign up on many sites these days without being messaged about your password strength.
I’m sure we can keep this in perspective, but I don’t think Twitter can continue with these kinds of foolhardy oversights much longer without deeper repercussions.
“Fool me once, shame on you, fool me twice, shame on me.”
I’d love to hear some great security F-up stories, bet TC readers can oblige.
Worked for a company that launched an RSS app, and when it launched our internal network went down. VP of engineering simply explained that he’d based the (only) production server on our office network (fed by a flea-bitten T1), and that he’d discovered the app couldn’t work through our firewall so he’d taken that down to make the launch date.
That one event described the company’s whole future.
It is really neat how TC is staffed by and attracts so many viewers capable of running the 3rd largest social media. It is great to be in your presence!
This makes me feel pretty good about myself.
lol, twitter is just so unbelievable. it doesn’t make money and it doest have proper security.
and so to think that people are proposing to give twitter a nobel peace prize
So they burn through tens of millions of dollars, but never hired someone to security audit their servers for less than $2,000? hmmm
What could go wrong? I mean, people are all nice and stuff.
Yep. It’s clear this was a weekend project that grew by word of mouth. Props to the twitter guys for doing it, but it’s pretty damn clear that they are flying by the seat of their pants. Most likely they didn’t even come up with the original idea: it IS just the Facebook Status line, but they have added some neat features like Direct Messaging. Kudos on their insecure systems, it was probably fun to poke around there while it lasted.
What a lousy string of events. At least their domain wasn’t hijacked or let expire. Been there.
Wonder what the fly on the wall is hearing from Conway, Andreessen and Fred Wilson right now? Think it’s coaching or ass kicking?
“TwitterGate.”
Wow, that’s embarrassing for Twitter.
‘password’…good one. Even when I was a complete newbie, I knew better than to use something like that.
Hi,
In first case the admin panel should be inaccessible if you are accessing it from outside..
I think they have a very very poor security architecture..
Its kind of amusing that poeple are pissing about the “security flaw” of your password being password but completely missing the fact that that password was found by reading emails stored on the google cloud.
The password could have been a paragraph long worth of numbers symbols letters and caps and whatever else and it was still being passed around in an email.
Yep, always makes me laugh to see people sending their super cryptic password via email (because hey, it’s too cryptic to write it down and then destroy, etc.) only to not realise the email could be hacked and to also not realise that by writing it in an email and hitting send, any hacker worth half his weight would be able to read it anyway.
Actually the story on TC changed from the originally published version. In the first draft that went live it said that TC asked someone to poke around twitter and within 5 minutes, the person they asked had found the login “jack:password” worked for the admin panel. This bit was removed from the current version of the story.
So the screenshots we’re gawking at today aren’t from the social engineering that found the Google Docs — they’re from someone TC asked to poke around.
Probably they thought the “password” was so bloody easy to guess, that nobody would possibly think of it. #totalfail
Clearly they should have inserted a “123″ at the end of “password” to make it at least 2% more secure. Clearly.
He calls dumb ass password as “bug”? WTF?
Maybe they use Bugzilla for everything and they had a “Make Password Harder To Guess” item waiting in there under IT, marked as a P5 enhancement.
Oh, this is rich! Great story and snarky STNG photo to illustrate, though Adm. Adama would have been better.
Haha this is funny even the bad guys in the 14 years old move “Hackers” Knows not to use the password – Password *lol* I seriously never thought that I would see someone dumb enough to actually use it … Well, sometimes real life is stranger then the movies ;D
Idiots huh… I would have used something much harder to guess like, I dunno… “GOD” maybe?
This scares me a bit… How do we know that they’re hashing our passwords, if one of them thought “password” was a good password.
Respect for Twitter now equals zero. I simply cannot believe they are this stupid/lax/incompetent . I hope my account doesn’t get hacked because of some other oversight that really should never have happened.
Check it: http://search.t...itter.com/admin
Lesson #2.
Have a public product? Don’t make your admin publicly accessible under the subdirectory “/admin” its quite easy to guess.
Just maybe that the cloud is not ready for primetime.
No – the cloud is fine.
Just may be that Twitter is not ready for primetime.
Exactly Chris, Cloud computing is just fine. This was just a case of lazy standards. They should have known better for some if not all of these issues.
Calling BS on that, son. The only things that should be in the clouds are planes, starships and Syd Barrett.