Wayne Chang recently discovered a security glitch on Twitter that had left 1.5 million support tickets exposed, complete with names and passwords. Chang worked with the team at Twitter to resolve the problem but the story is a lesson in why customers should be proactive with particular sensitivities to the risks in using Twitter or any general, free service.Former Napster employee and serial entrepreneur
It also shows the benefits of working with services that use third party support programs such as Zendesk that track issues in case a flaw is discovered.
In a blog post filed this week, Chang wrote that he has always taken it as an interest to discover security vulnerabilities in online systems. Back in the 1990s he mixed in a group that wrote their own software to discover security flaws. One of his fellow hackers went by the name "napster." That was Shawn Fanning, who went on to found Napster. Chang joined the company in 1998.
Those Gatsby days are now only stories but the spirit of discovering massive security flaws is still an adventure for many. A few weeks ago, Chang realized he had a big one on his hands when he found himself peering into the Twitter customer support network. With a few manipulations he had gained access to Twitter's support network - a community with more people in it than most any online service.
Here's what happened. Chang received a reply to a support ticket that he had filed for one of his business accounts. The support desk needed more information. He opened the Twitter dashboard for open tickets. He did not see his ticket listed. Thinking nothing of it he looked at an old ticket and made the discovery he was looking at the account of someone else:
I looked at an old ticket that was listed and back to the new email. I manipulated a few data fields, hoping it would work. As soon as I pressed enter, the ticket I was looking for showed up. Great, must be a temporary display glitch on my account. In any case, I was happy to be able to work with the ticket. I tried to reply to the ticket on the system. Strange, it didn't attach my message. That's when I noticed the account name didn't match mine - it said @null instead of my business account name. Maybe I wasn't supposed to see this. I finagled around with the data fields and suddenly I was staring at someone else's support ticket -- one that showed his password (he had wrote it as part of his ticket). This is Not Good.
- After review he found a mixture of different information that was revealed. It included"
- Account passwords
- Contact information, including addresses and phone numbers
- API keys and consumer secret keys
- VIP requests, related to movie stars
- Brand impersonations, large multinational companies wanting certain accounts deactivated/removed
- And 419 scams.
The attention at that point turned to Zendesk, which Twitter uses for its support desk. Chang set up a number of accounts. It looked like the problem only affected a subset of users on Twitter.
This is where services like Twitter fall short. It became a project just to find the right person to contact. This is a problem that I have personally felt in the past few weeks when trying to get someone from Tweetdeck to help me get my columns back. I gave up and now use Seesmic.
Twitter is now working through the issues so they can be better contacted in case of security issues of critical importance.
But this all brings up a classic problem. General, free services are excellent for fostering transparent, rich communities. But larger enterprises are anything but open. They do want to be more transparent but security by its nature is designed to be a barrier. Barriers by definition are solid blocks. It's difficult to marry those concepts unless the ultimate security is put into place.
And that's trust networks.
What is needed are better identity systems to avoid any kind of password problems. Google Apps Marketplace maintains a policy for single sign on. That makes it viable to offer apps that can help people work in a secure ecosystem.
Twitter is still of magnified importance but to use it enterprise managers would be wise to modernize its identity systems to avoid the worst of all outcomes.
And that's the spectre of stolen corporate accounts. Once that happens all semblance of trust is lost. That wastes valuable time which takes ages to rebuild.
(Image source: BostonInnovation)