Technology content trusted in North America and globally since 1999
8,589 Reviews & Articles | 67,080 News Posts

Twitter's password recovery process exposes accounts to hacking, according to victim

Twitter's password recovery system allows accounts to be brute-forced simply by changing IPs

By Trace Hagan on Oct 1, 2012 05:01 pm CDT - 1 min, 1 sec reading time

A victim of a hacker has written up a long piece regarding Twitter's security processes and how he believes he became a victim. Twitter's password recovery system is reportedly to blame, as it allowed a hacker to use a brute-force style attack on his handle. A brute-force attack tries common passwords as quickly as it can until it finds a match or exhausts a word list.

twitter_s_password_recovery_process_exposes_accounts_to_hacking_according_to_victim_1

The issue seems to stem from the fact that Twitter doesn't limit login attempts per account, rather they limit them per IP. What this means is a hacker just needs to use a proxy network or some other way of IP switching and they would be able to brute-force an account indefinitely, or at least until the password was found.

However, why the victim, Daniel Dennis Jones, had chosen to use a simple, common password that could be brute-forced is beyond me. His story makes sense, though, and is why most password recovery systems limit login attempts on a per account basis, or at minimum throw up a CAPTCHA after a few failed attempts at logging into an account.

The happy ending: Eventually Jones was able to recover his @blanket handle with the help of Twitter.

Trace Hagan

ABOUT THE AUTHOR - Trace Hagan

Trace is a starving college student studying Computer Science. He has a love of the English language and an addiction for new technology and speculation. When he's not writing, studying, or going to class, he can be found on the soccer pitch, both playing and coaching, or on the mountain snowboarding.

NEWS SOURCE:news.cnet.com

Related Tags