[WebAppSec] Twitter’s admin panel compromised
One of the best known Rails application, Twitter, was compromised very recently. A French hacker claimed that he gained access to Twitter’s admin panel at https://admin.twitter.com/. Twitter confirmed that an outside individual gained access to details of several accounts, including accounts from Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.
It seems that the hacker gained access to a Yahoo Mail account of a Twitter employee by answering his “secret question” and thus he could reset the password and access his mail account. In one of the e-mails he found the Twitter administration password.
Here is list of must-have security countermeasures for admin panels:
- Don’t make the admin panel publicly available unless you really have to! It seems that admin.twitter.com was secured with a .htaccess file. I recommend to at least allow access only from several IP addresses.
- Don’t make admin panels pretty, make sure they are Cross-Site Scripting and CSRF-safe! A simple message to the support panel containing Cross-Site Scripting is sometimes already enough to gain access to the panels.
- Forgotten passwords are a huge problem. Resetting it with a simple answer to an easy question is definitely not enough. Sending a password-reset URL to an e-mail address is currently one of the best solutions (but it isn’t totally secure).
- It seems that everyone with access to the Twitter admin panel may do everything. Why can everyone download “emails to gzipped CSV file”? Why not require to re-enter another password for sensitive actions or use a role-based admin user model?
- Someone suggested using authentication tokens that provide a randomly generated key upon login
I wrote about this already a while ago.