June 29, 2009

Britney Spears Twitpic account hacked; fake death posted

A vulnerability in a third-party service through which users post photos to their Twitter profiles allowed hackers on Sunday to falsely report that Britney Spears had died.

The attackers, apparently preying on the fact that several notable celebrities died last week, including Michael Jackson, were able to post a message to Spears' Twitter profile that claimed she, too, had passed away.

Twitpic founder Noah Everett, in a blog post Monday, said the attackers used a technique known as brute force to guess the email PINs of about 10 users, which they were able to use to automatically post messages to various Twitter pages. Everett did not address Spears by name in his post.

The intruders tried every possible combination of the PIN until they got it right, Everett said. Twitpic has since fixed the vulnerability.

"I want to stress that no account information was compromised," he wrote. "The vulnerability only allowed someone to post a photo to Twitpic/Twitter on someone's behalf, but did not allow access to their account in any way. Once we were made aware of the issue, we immediately began working on a fix and also shut down [our] email system to prevent any unauthorized posting."

The post has been removed from Spears' account.

The latest tweet from the celebrity, posted Sunday afternoon, said: Britney's Twitter was just hacked. The last message is obviously not true. She is fine and dandy spending a quiet day at home relaxing.

Spears has more than 2.1 million followers, making her one of the most popular Twitter users.

Similar messages also were posted to the accounts of Ellen DeGeneres and Miley Cyrus, according to reports.

"I want to make it clear that this was not a Twitter issue, but a Twitpic issue, and I take full responsibility for it," Everett wrote, adding that an investigation, in conjunction with internet service providers, is underway to determine the source of the attacks.

Ironically, the attacks came just three days before researcher Aviv Raff is set to launch his "Month of Twitter Bugs" project, which will unveil a vulnerability a day in the third-party services that use the Twitter application programming interface (API), such as Twitpic. Raff said he was not surprised to hear of the incidents over the weekend.

"Third-party Twitter services are just another way to [Tweet] to the world, and attackers will try to abuse it," Raff said in an interview with SCMagazineUS.com on Monday via instant messenger. "This is what the 'Month of Twitter Bugs' is all about. To bring up the awareness for Twitter services developers and understand that they put all Twitter users at risk when they develop an insecure code."

Twitter on Saturday released a “Security Best Practices” document for its API users.

Related Articles
Related Topics

Sign up to our newsletters

More in News

Bitcoin mining botnet has become one of the most prevalent cyber threats

Fortinet researchers have tracked 100,000 new ZeroAccess trojan infections per week, making the botnet very lucrative to its owners.

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.