Blogger: Mark Diodati
In both cases, a hacker compromised the Yahoo mail accounts associated with Twitter employees (a product manager and an administrator) by guessing the answer to each employee’s secret question. The secret question is an example of static knowledge-based authentication (KBA), the insufficiency of which Burton Group has discussed (Can We Finally Commit to the End of Knowledge-Based Authentication? and Static KBA: Lipstick on the Weak-Authentication Pig). The latter blog entry discusses the same exploit on Sarah Palin’s Yahoo mail account. Both Google and Yahoo support a better identity proofing mechanism – Short Message Service (SMS) delivery via mobile phone. Burton Group calls this mechanism out-of-band identity proofing, and it is a big step up from static KBA. I recommend that register your mobile phones for these services ASAP.
The hacker associated with the first breach claims to have located the product manager’s Twitter password in the Yahoo emails. This seems unlikely. However, Twitter enables a password reset by other means. First the user must provide Twitter with the pre-registered phone number in the “forgotten password” web form. Twitter asks for the phone number solely as an answer to static KBA question, and does not use the phone in the identity proofing process. The hacker does not need physical access of the phone, only knowledge of the correct phone number. After providing the correct phone number, Twitter sends an email with a link to the password reset screen. If the hacker has compromised the email account and knows the phone number, he now has access to the Twitter account.
If Twitter’s password reset process applies to its administrative applications, Twitter’s risk exposure is “sky high”. Burton Group believes that stronger authentication mechanisms are a requirement for administrators who access confidential user data via the Internet. There are plenty of cost-effective, portable stronger authentication solutions. Examples include delivery of a one-time password (OTP) via SMS (as described above) and software OTP on a mobile device. These solutions would eliminate these exploits because the compromise of the email account does not give the hacker access to the authenticator.
In the first breach, the hacker claims that once he had access to the Twitter administrative application, he was able to access confidential information about Twitter users. If this is the case, it presents one final question: why does a product manager have access to a production system with confidential user data? If this is the case, it seems like an issue of excessive privileges.