A vulnerability in a third-party service through which users post photos to their Twitter profiles allowed hackers on Sunday to falsely report that Britney Spears had died.
The attackers, apparently preying on the fact that several notable celebrities died last week, including Michael Jackson, were able to post a message to Spears' Twitter profile that claimed she, too, had passed away.
Twitpic founder Noah Everett, in a blog post Monday, said the attackers used a technique known as brute force to guess the email PINs of about 10 users, which they were able to use to automatically post messages to various Twitter pages. Everett did not address Spears by name in his post.
The intruders tried every possible combination of the PIN until they got it right, Everett said. Twitpic has since fixed the vulnerability.
"I want to stress that no account information was compromised," he wrote. "The vulnerability only allowed someone to post a photo to Twitpic/Twitter on someone's behalf, but did not allow access to their account in any way. Once we were made aware of the issue, we immediately began working on a fix and also shut down [our] email system to prevent any unauthorized posting."
The post has been removed from Spears' account.
The latest tweet from the celebrity, posted Sunday afternoon, said: Britney's Twitter was just hacked. The last message is obviously not true. She is fine and dandy spending a quiet day at home relaxing.
Spears has more than 2.1 million followers, making her one of the most popular Twitter users.
Similar messages also were posted to the accounts of Ellen DeGeneres and Miley Cyrus, according to reports.
"I want to make it clear that this was not a Twitter issue, but a Twitpic issue, and I take full responsibility for it," Everett wrote, adding that an investigation, in conjunction with internet service providers, is underway to determine the source of the attacks.
Ironically, the attacks came just three days before researcher Aviv Raff is set to launch his "Month of Twitter Bugs" project, which will unveil a vulnerability a day in the third-party services that use the Twitter application programming interface (API), such as Twitpic. Raff said he was not surprised to hear of the incidents over the weekend.
"Third-party Twitter services are just another way to [Tweet] to the world, and attackers will try to abuse it," Raff said in an interview with SCMagazineUS.com on Monday via instant messenger. "This is what the 'Month of Twitter Bugs' is all about. To bring up the awareness for Twitter services developers and understand that they put all Twitter users at risk when they develop an insecure code."
Twitter on Saturday released a “Security Best Practices” document for its API users.