Hacktivists

Minor hack highlights vulnerability of third-party Twitter apps

August 20, 2013: 3:28 PM ET

A hacker calling himself "Mauritania Attacker" listed the names and some account information (no passwords) of 15,000 Twitter users. It's probably a good idea for users to clean up their apps.

130820151714-twitter-hack-620xaFORTUNE -- A hack of Twitter exposing thousands of usernames and associated third-party access tokens appears not to have done any real damage, but it has made a lot of people realize how many third-party apps they have authorized, inspiring many of them to do some precautionary housecleaning.

That's probably a good idea. You need third-party apps to, among other things, sign in to websites to make comments, connect to Twitter through mobile devices, and authorize utilities such as link shorteners. But the more apps you have, the more vulnerable you are, and you should at least know which apps you have authorized. They can be found here. You might be surprised to see how quickly they have piled up. While you're at it, do the same with your Facebook (FB) apps.

Someone with the handle "Mauritania Attacker," purporting to be acting on behalf of "Islam," published a list of 15,000 usernames and their associated authorization (OAuth) tokens that connect users to apps without the need to reveal account passwords. Someone with that information and the right script could potentially gain limited access to user accounts. There is no indication that this has happened in this case, and Twitter has said that no accounts have been compromised.

MORE: Big box retail is watching you

The hacker claims to possess "the entire database of users on Twitter." The 15,000 account details were published in plain text on the file-sharing site Zippyshare. One security expert told Mashable that it might be possible for someone to use the information to, for example, post under a user's name, but it's highly unlikely that a hacker could gain full access to an account.

The best defensive measure is to remove all apps, then reconnect to them, creating new tokens for each. It's a good idea to do this every so often, since the tokens never expire.

Mauritania Attacker has made the news before. He is supposedly the founder of AnonGhost, a group that has claimed credit for attacks on thousands of websites, many of them associated with western business interests, particularly the oil industry.

In an interview with Reuters in June, Mr. Attacker insisted that members of AnonGhost are "not extremists" and mean only to "defend the dignity of Muslims."

MORE: Who says gold is a popular iPhone color in China?

The group's dignity defending, according to Reuters, has included attacks on "kosher dieting sites" and "American weapon aficionado blogs." The group defaces sites "with messages about Islam and anti-Zionism."

Though AnonGhost has never mounted a serious attack, it is prolific, having defaced thousands of websites. For that reason, despite its relative toothlessness (so far), Cyber Defense magazine listed it as one of the most active groups of "hacktivists" in the first quarter of this year.

Current Issue
  • Give the gift of Fortune
  • Get the Fortune app
  • Subscribe
Powered by WordPress.com VIP.