It only lasted a few minutes but as the account has 120,000 followers – it caused quite a stir. It’s not known how the hackers who call themselves ‘Script Kiddies’ got access to the account, but my guess would be social engineering.

Hackers calling themselves the Script Kiddies took control of the NBC News Twitter account on Friday afternoon and used it to send out a series of hoax Twitter messages claiming there was a repeat terrorist attack on New York’s Ground Zero.

The Script Kiddies had control of the account, which has more than 120,000 followers, for about 10 minutes before it was suspended. During that time they sent three messages stating that hijackers had crashed two airplanes on the site of the Sept. 11, 2001, terrorist attacks. “This is not a joke, Ground Zero has just been attacked. We’re attempting to get reporters on the scene. #groundzeroattacked.” said one of the messages.

Then, a minute later, perhaps sensing that the jig was up, they wrote. “NBCNEWS hacked by The Script Kiddies. Follow them at @s_kiddies!”

That s_kiddies Twitter account was immediately suspended, but according to a cached version of the page, the group describes themselves as “Anonymous Supporters :: Hackers :: Exploiting simplistic methods with hilarious results :: Occasionally doing it for teh lulz :: We are The Script Kiddies.”

The hack was brought to an abrupt end fairly shortly and the perpetrators own Twitter account was also suspended – @s_kiddies.

No major damage was done, but it does interest me as to how this was achieved – it has happened numerous times to celebrities on Twitter. I would have thought a fairly serious news organization would have better controls and processes in place though.

This hack doesn’t have anything to do with the Anonymous group though, it seems to be for the lulz more than anything else.

This type of account compromise is a regular occurrence on Twitter, although it is typically celebrities, and not trusted news organizations, that fall victim. Often the accounts are taken over following a phishing attack. Script Kiddies did not respond to an email asking them how they managed to take over the NBC News account.

Script kiddies is a hacking term, referring to technically unsophisticated hackers who rely on automated scripts rather than hacking wiles to conduct their online attacks.

Friday wasn’t exactly a gold star day for accuracy on Twitter. Earlier in the day, an account associated with CBS News show “What’s Trending” erroneously posted a Twitter message citing rumors that Apple founder Steve Jobs had died. That message was quickly deleted and “What’s Trending” apologized.

I guess this may well be the new Web2.0 version of defacement for a new generation of Script Kiddies – breaking into high profile Twitter/Facebook accounts and spamming them with humorous or offensive updates.

I don’t think there will be any more to this story than what has already been published, I’m sure we’ll see many more similar cases in the future though.

Source: Network World

They posted an update on the status blog pretty fast that the XSS had been identified and they were in the midst of patching it.

Hackers have exploited a flaw in Twitter, which results in pop-ups and third-party websites being opened despite users simply hovering over links with their mouse.

Hundred of Twitter users, including Sarah Brown – wife of the former Labour Prime Minister Gordon Brown – have fallen victim to the attack. In some cases the third-party websites that are open are pornographic. The malicious links contain Javascript code, called onMouseOver, which allows users to redirected, even if they haven’t clicked on the link.

Graham Cluely from security firm Sophos said in a blog that at present the flaw is being exploited for “fun and games” although “there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed”.

Cluley advised Twitter users to avoid using the Twitter website and instead rely on a third-party client such as Tweetdeck to access the service.

Most ‘attacks’ were pretty harmless with users just having fun with the bug, there were some pretty dodgy incidents though involving shocks sites (goatse or tubgirl anyone?) and hardcore porn sites.

There’s also a good write-up on the Sophos blog here with screen-shots:

Twitter ‘onmouseover’ security flaw widely exploited

A full post on the issue from Twitter is available here:

All about the “onMouseOver” incident

I like how they are responsible about such things and don’t try to hide them. If you are on Twitter and you want the latest updates about such matters you should follow the @safety account.

Source: Network World

I had a spam tweet appear in my stream a while back and like Guy Kawasaki I also had absolutely no idea where it came from.

Perhaps some kinda XSS flaw in Twitter when I visited a site that spawned the message (in a hidden iframe perhaps).

It wouldn’t be the first time Twitter was having security problems, just this time it’s not something that’s gone public. Spammers are using it to entice people to watch Sex Tapes and visit affiliate sites.

Former Apple Macintosh evangelist Guy Kawasaki posts Twitter messages about a lot of different thing, but the message he put up on Tuesday afternoon was really out of character.

“Leighton Meester sex tape video free download!”

His message included a link that, after some further clicking, landed Kawasaki’s followers on a fake porn site where online criminals try to install a nasty Trojan horse program on victim’s computers. And in an interesting twist, the program attacks both Mac and Windows users.

Kawasaki, a well known entrepreneur who is now a a managing director of Garage Technology Ventures, isn’t the only person whose account was misused during a new round of Twitter hacking Tuesday, but with nearly 140,000 followers he’s the most high-profile. Meester, the star of the TV Show GossipGirl is also said to be the subject of a homemade sex tape that is reportedly in circulation.

Apparently 1,600 people clicked on the link, probably because most people don’t know who Leighton Meester is, they would have had more luck with Lady Gaga or Britney Spears sex tapes :D

They would have better results hijacking his account, but I suspect they didn’t have access. He just clicked the wrong link or viewed the wrong site once and that spawned the message.

It’s possible there could a flaw in the Twitter API too and with some kinda fuzzing or brute force you can broadcast messages.

It’s not clear how hackers managed to gain access to Kawasaki’s account — security experts say that he and others may have fallen victim to earlier Twitter phishing attacks, where attackers tried to trick victims into logging into fake Twitter sits in hopes of stealing their login credentials.

Other hacked accounts are being used to to promote pornographic Web sites. Victims include an Arizona political blogger, an up-and-coming Canadian musician, and a Gay news site. (note, some of these Twitter pages still include pornographic and possibly malicious links)

Twitter has had its share of security problems over the past months. Earlier this year someone gained access to the Twitter accounts of U.S. President Barack Obama, Britney Spears, and others.

Recently scammers have become more aggressive on the site. They will set up new accounts and post spam messages on hot topics in hopes of gaining clicks when people search through Twitter.

Twitter have recently set up a system for verified accounts, I hope they also ensure these accounts stay secure and in the hands of the right people.

It’ll be interesting to see what turns up, if someone makes another flaw in Twitter public.

I hope they do as it’ll make the system more secure for everyone.

Source: PCWorld