15k Twitter Account Hacked, A True Story?

Few days back an article was published on techworm.in, where a hacker named "Mauritania Attacker" leaked claimed to leak thousands of twitter accounts, the data was made available for public to use and was uploaded on zippyshare.com. The data contained the twitterid, twitternick, oauthtoken nand oauth_token_secret.

How Was the data breached?

Well, it seems to me that the database of a third party app was breached which contained the list of Oauth tokens. In laymen terms oauth is used for authorizing the third party applications without the need of giving them the password. 

The application is granted an access token which it uses to authorize it selves, which means that an attacker having hold of the access token would be able to access the twitter accounts without the need of a password. The Oauth tokens can be easily be by tampering the request with a webapplication proxy such as Tamper Data, Burp suite etc. Twitter has recently introduced Two step authentication, however it isn't much handy in this case.

How Twitter Users Can Protect Themselves?  

Well, if the attacker keeps compromising database of the third party applications and getting the hold of the oauth tokens, then their is not much that twitter can do, Since they can protect their database from being breached, however they certainly have no hold of the third party application database.

Twitter users are advised to revoke access to all the third party application and reauthorize them, therefore the access tokens would be expired and the attacker would not be able to use them. Twitter users should only use trusted third party applications and when they are not using any of them, they should revoke the access so that the access token would be expired.

Facebook, has also known issues with their oauth in past, Security reseachers have pointed multiple flaws and all of them relied upon stealing of the oauth tokens, The issue with twitter in this case is a bit different, the access tokens were compromised due to a third party app, whereas in facebook oauth tokens could have been compromised due to a flaw inside it's design.

Twitter has denied the claims made by an attacker that any part of the twitter's database was compromised, which seems true to me. The Mauritania Attacker has posted a status on his facebook that he will reveal exactly how the access tokens were compromised today to techworm.

Stay subscribed to RHA for more of the security insights.