In addition to being involved in startups, I enjoy finding system vulnerabilities as a side hobby. And I’ve found my fair share (see my about page, scroll down towards the bottom). The startup people I hung out with online in the mid-to-late 90′s were on IRC, before the startup incubators existed. This is where the cyber culture revolved around the discovery and sharing of new information. A little known factoid: before Shawn Fanning created Napster, the music software, he was known as “napster” on IRC. We ran in the same circles, finding and demonstrating security vulnerabilities through software we’d write and share. (I later joined Napster-the-company in 1999). A couple weeks ago, I found another security vulnerability that impacted 1-1.5 million Twitter accounts.
Discovery
On January 19, 2011, I received a reply to a support ticket that I had filed on one of my business accounts. The support agent needed more information, so I jumped in to my ticket dashboard (everyone on Twitter has a ticket dashboard — just go to http://support.twitter.com). When I went there, I didn’t see my ticket listed. Thinking it’s just a glitch, I looked at an old ticket that was listed and back to the new email. I manipulated a few data fields, hoping it would work. As soon as I pressed enter, the ticket I was looking for showed up. Great, must be a temporary display glitch on my account. In any case, I was happy to be able to work with the ticket. I tried to reply to the ticket on the system. Strange, it didn’t attach my message. That’s when I noticed the account name didn’t match mine – it said @null instead of my business account name. Maybe I wasn’t supposed to see this. I finagled around with the data fields and suddenly I was staring at someone else’s support ticket — one that showed his password (he had wrote it as part of his ticket). This is Not Good.
Impact
If you ever submitted a support ticket for Twitter (and a lot of you did), you were impacted by this. All support tickets – at the time, 1.5+ million! – were exposed. To protect user privacy, I will not post the screenshots of tickets that contain private information.
Read more: BostInnovation
Discovery
On January 19, 2011, I received a reply to a support ticket that I had filed on one of my business accounts. The support agent needed more information, so I jumped in to my ticket dashboard (everyone on Twitter has a ticket dashboard — just go to http://support.twitter.com). When I went there, I didn’t see my ticket listed. Thinking it’s just a glitch, I looked at an old ticket that was listed and back to the new email. I manipulated a few data fields, hoping it would work. As soon as I pressed enter, the ticket I was looking for showed up. Great, must be a temporary display glitch on my account. In any case, I was happy to be able to work with the ticket. I tried to reply to the ticket on the system. Strange, it didn’t attach my message. That’s when I noticed the account name didn’t match mine – it said @null instead of my business account name. Maybe I wasn’t supposed to see this. I finagled around with the data fields and suddenly I was staring at someone else’s support ticket — one that showed his password (he had wrote it as part of his ticket). This is Not Good.
Impact
If you ever submitted a support ticket for Twitter (and a lot of you did), you were impacted by this. All support tickets – at the time, 1.5+ million! – were exposed. To protect user privacy, I will not post the screenshots of tickets that contain private information.
Read more: BostInnovation