Krebs on Security

Coding Challenge Coding Live

I would LOVE to be able to change my password on . BUT, every time Ive attempted to login, I end up at a page with nothing on it (other than the Twitter styling) except a link labelled Continue and pointing to

ExxonMobil Bungles Rewards Card Debut

Password storage is not the password transmission process. In most cases, when you log in/set new password this password is being sent (in plain-text form) via some HTTP POST parameter. Its likely that this parameter was included in the log.

Online Cheating Site AshleyMadison Hacked(798)

P.S. my comments seemed to disappear, so I am posting under a different email address.

How to Avoid Card Skimmers at the Pump

Agrawal wrote that while Twitter has no reason to believe password information ever left Twitters systems or was misused by anyone, the company is still urging all Twitter users to reset their passwords NOW.

Agrawal explains that Twitter normally masks user passwords through a state-of-the-art encryption technology called bcrypt, which replaces the users password with a random set of numbers and letters that are stored in Twitters system.

I dont remember mine, nor do I care to.

I wonder if the plain-text passwords written to the log were only mis-typed passwords that failed authentication. Programmers dont usually consider the information leak that logging even failed pasword is.

To turn on multiple factor authentication (MFA), visit your Account settings and enable the Mobile security app option

Yesterday I googled twitter and the top search result was a paid AD that led me to a malicious website that seemed to be downloading 1000s of TMP File and CRDOWNLOAD files onto my machine while also creating a red screen with a weird warning message. (At first I thought it was ransom wear, and maybe it was but the script was broken?)

After the twitter new terms announcement, I asked twitter if it has a new partnership with Google, as Facebook has a partnership with Google . . . and received no response . . . Now, today I see twitter addresses feature in a large way in a redesigned Google news! It is a valid question, because I viewed twitter as a last hold-out on Google, where I could upload content outside Googles reach. It is valid, if I use Google nearly every time I get on my desktop (no smartphone, yet), because I dont want a behemoth assembling more information on me!

Theres a second possibility though, which they probably dont want to accept now, is that they had a good number of customer passwords stored in plaintext (or MD5ed or SHA-1ed, which is kinda like storing it in plaintext) and those passwords were exposed.

First its Linkedin and Equifax, then its Facebook/Cambridge Analytica. I was so convinced that Twitter is different. The most interesting thing for me is that they do not provide for how long these passwords were exposed.

Here is the address to change your twitter psswd:

That is why a partnership with twitter has anti trust implications, because twitter is a popular source for news . . . Which news is popular with a viewer is another inroad into his psychology, which could fine tune influencing ads. Twitter has advantages over Google news. It is my preferred source for certain types of news. It is disturbing to me the news offered via twitter is going to supply Google another source of my mind share.

Was the Ashley Madison Database Leaked?(376)

So if someone stole my password and logged into an app experience, they still own me?

I get your point about privacy, but Cambridge Analytica didnt hack that data. Facebook gave them access.

Cards Stolen in Target Breach Flood Underground Markets(445)

This is why 2FA and unique keys are so important. Im an ideal world, everyone knows your (acceptable) credentials and still cant log in as you. This is how PKI works instead of providing a symmetric password, you provide an asymmetric portion of a key pairspecifically the public keyat account setup, and see login, youre provided with a challenge which you soon using the private portion of the key pair. Ideally anyone with access to the information can verify that you preformed the authorization, but no one with the information can use it to produce another.

Even checked both mobile and desktop versions of my account.nothing messages, notificationsneither

A letter to all Twitter users posted byTwitter CTOParag Agrawal

Pretty please, dont spread that silly kind of paranoia.

Being a person that professionally worries about these things, my guess is that the bug is really poor design and that some debug code was left in production unintentionally. It states above that the passwords were written to a log prior to going through bcrypt, which is just a cypher that can be implemented in whatever way your backend tools want, to oversimplify.

Its a very very very common mistake application developers make:

Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.

-Use a strong password that you dont reuse on other websites.

From the news account I heard last night on the BBC, the exposed passwords were on an internal server and were not exposed externally. Id say the risk on this is pretty low.

Neither did I, I wouldnt have known at all if not for this

When we are not successfully victimized, law enforcement makes no effort to investigate the crime.

So just how did they alert some accounts?

So the obvious question is why are the storing the passwords in a reversible fashion?

Ive gotten two update to ToS and Privacy Policy emails in the last two days but nothing about PWs.

Mobile app does not require re-login.

ZDnet was given a wishy-washy statement that there were only a portion affected, or at least a lot less than 300 + million users. Just as long as they dont tell me we take our customers security very seriously; at least I dont have to hear that, and obviously they dont care.

What KrebsOnSecurity and other Twitter users got when we tried to visit and the Twitter CTOs profile page late in the afternoon ET on May 3, 2018.

Twitterjust asked all 300+ million users to reset their passwords, citing the exposure of user passwords via a bug that stored passwords in plain text without protecting them with any sort of encryption technology that would mask a Twitter users true password. The social media giant says it has fixed the bug and that so far its investigation hasnt turned up any signs of a breach or that anyone misused the information. But if you have a Twitter account, pleasechange your account password now.

Notorious Hijack Factory Shunned from Web

One is supposed to remove such logging before shipping, or at least disable it before it goes into production

True Goodbye: Using TrueCrypt Is Not Secure(363)

This entry was posted on Thursday, May 3rd, 2018 at 6:40 pm and is filed underLatest Warnings,Time to Patch. You can follow any comments to this entry through theRSS 2.0feed. Both comments and pings are currently closed.

If $p=storedpassword then $loggedin=true

Good thing I read KOS, because I went to Twitter just to see if there was even a peep about this *nothing* I bet they didnt even sent emails out to customers with the news!

This may be much ado about nothing disclosed out of an abundance of caution, or further investigation may reveal different findings. It doesnt matter for right now: If youre a Twitter user and if you didnt take my advice to go change your password yet, go do it now! That is, if you can.

I dont understand one thing, Brian. If they indeed had all passwords encrypted with bcrypt how would they have them in a plaintext form in a log? The only way for that to happen is when someone creates an account. (And that is a very small minority of people.)

Sources: Target Investigating Data Breach(620)

Agrawal explains that Twitter normally masks user passwords through a state-of-the-art encryption technology called bcrypt, which replaces the users password with a random set of numbers and letters that are stored in Twitters system.

I do think it is really significant and shows a lot of integrity that Twitter is being up front about this and asking people to change their passwords even though they think the chances are really good that no one actually accessed them.

I went directly to GibHub and reset my password.

© 2018 Krebs on Security. Powered byWordPress. Privacy Policy

Tags:Parag Agrawal,Twitter password reset,Twitter warns all users to change their passwords now

It would be very easy to capture usernames and passwords on every login not just creation when you have access to the login processing page.

Eh, its Twitter. Not Paypal, or my bank account, or anything I care about. I still changed my password, but I was in no hurry. I dont reuse passwords in multiple locations.

Nothing happens when you click the link. And no way to change the password. And no (official) way to log out again.

Bcrypt is not state of the art. It is vulnerable to GPUs and FPGAs. State of the art is argon2 or scrypt.

***********Unquote*************************

-Change your password on Twitter and on any other service where you may have used the same password.

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

This isnt an attack, as far as we know just an error. Bad programming.

This allows our systems to validate your account credentials without revealing your password, said Agrawal, who says the technology theyre using to mask user passwords is the industry standard.

Normal password submission doesnt really work that way.

Out of an abundance of caution, we ask that you consider changing your password on all services where youve used this password. You can change your Twitter password anytime by going to the password settings page.

Could this be related to the twitter breach? Or perhaps just part of a much larger focused attack on twitter?

Twitter to All Users: Change Your Password Now!

When one sets up an account with this add-on, it logs the provided information (private key, decrypting password, ) In the applications log file.

Im guessing they are disclosing this now because in 22 days they would be liable for 4% of their turnover in fines under Europes General Data Protection Regulation.

How ads work on Google partner sites

Anyone care to provide the direct link to the change password page I can try to access it directly once I have logged in. Doubt it will work, since Ive tried directly accessing my profile page and all it does is reload the page described above.

. . . so, telling you to change your twitter psswds may serve other purposes, if twitter has partnered with Google or I should say Alphabet or one of its subsidiaries, by specifying which IP addresses or an IMEI-number of the mobile phone are associated with which twitter accounts, it has exponentially more access to your mind share (is what I label this commodity), as it already does with Facebook. It is no fluke that Facebook profits rocketed after its initial dim earnings reports, after Facebook went public, when Google partnered with Facebook for unparalleled access to user behavior, or the psychological ads which influenced the election scandals, etc. . . . Twitter is the last frontier for Google. It wants it all.

As the article states enable two factor authentication on your Twitter account.

Its amazing that Twitter didnt force a log-out of all accounts and then force a password reset. (My guess is they dont want to know how many of those signed in accounts arent really used. i.e. far fewer than they report.)

Many websites and mobile apps partner with us to show ads. These advertisers decide to show given ads to audience types based on personal information our users have shared with us and data we collect about your online activities: for instance, 25 34 year old males who are interested in travel.

Update, 8:04 p.m. ET:Went to reset my password at Twitter and it said my new password was strong, but when I submitted it I was led to a dead page. But after logging in again at twitter.com the new password worked (and the old didnt anymore). Then it prompted me to enter one-time code from app (you do have2-factor set up on Twitter, right?) Password successfully changed!

Plant Your Flag, Mark Your Territory

s/replaces the users password with a random set of numbers and letters that are/calculates a hash of the users password that is/

The new Google news is slow-scrolling. Likely, there is some collection process going on to recreate your session, called, session replay, to gather info on your viewing habits, where you pause, and where you click . . . Its a new level of studying user news reading habits. Its all allowed under Google privacy, which allows everything! Here is the term which pertains to that, for what it is worth:

I have sent some more specific questions about this incident in to Twitter. More updates as available.

Why Is It So Difficult to Report an Attempted Cybercrime?

If for some reason you cant reach m, try again soon. Put it on your to-do list or calendar for an hour from now. Seriously, do it now or very soon.

Even if you have 2FA turned on, your password is exposed in clear text. That means if you are re-using your password somewhere else, you are at risk!

I dont own a twitter account. But I occasionally visit twitter to read tweets from influential people.

Since I always generate new passwords/keys, it didnt bother me a lot, but I certainly wont be using this module for a production system

Reports: Liberty Reserve Founder Arrested, Site Shuttered(416)

A very similar message was sent out a few days ago by GitHub via email.

And please dont use a password that you have used for any other account you use online,either in the pastor in the present. A non-comprehensive list (note to self) of some password tipsare here.

Due to a bug, passwords were written to an internal log before completing the hashing process, he continued. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Following the Money, ePassporte Edition(353)

To debug things, they log their inputs.

One thing in all this process about this public event its me annoying: 24 hours before this disclosure, former Microsoft CIO Steve Ballmer sell all his twitter stocks but tell his is still confident with company. After this event, I dont think properly response was given, once this indicate some of twitter partners get privileged information.

Lets try this again: The result of bcrypt, is a hash, not a random set of numbers and letters.

What you describe is almost certainly coincidence. Or if it is related, its probably reactively (i.e. the bad guys know that people will be searching about how to reset their Twitter passwords so think its a good opportunity to trick people into handing over theirs.)

This underscores the importance of using different passwords for each different service. If you use your password for Twitter elsewhere, better change that as well. It is a common tactic of hackers to try compromised passwords on other known or potential accounts related to their victim.

Please do not change the password, because Twitter wanted track to you and sending spam

In a post to its company blog this afternoon,Twitter CTO Parag Agrawalwrote:

Brian pretty well wrote what supposedly happened; maybe they ran the data threw that bcryptscheme they said they use, and it dumped the file in a log that was discovered later.

Extortionists Target Ashley Madison Users(310)

Your email account may be worth far more than you imagine.

It is laudable that while Facebook and Uber Technologies are facing serious charges of Data security, Twitter came to the forefront and urged its 330 Million users to change their password. Twitters response was very professional as theoretically they could have just hidden the incident but rather they confessed that due to a glitch, users password was stored in a readable text to its internal computer system instead of disguising it by the process called hashing.

My worry is that these logs were ingested into something like Splunk, or are in backups somewhere. It would be interesting to know how Twitter intends to clean this up.

It wouldnt apply to Disqus, because one logs in via twitter. That little popup is a twitter url. It doesnt make sense, to change your log in on twitter services, when the log in is via twitter! The mobile phone stuff I am not acquainted with . . .

To that end, thats the tipping point for me. My process:

To be clear, the Facebook/Cambridge Analytica breach wasnt compromised passwords. The data was pulled from Facebook servers regardless of user login status.

-Use a password manager to make sure youre using strong, unique passwords everywhere.

I received that GitHib message too. I didnt trust the password reset link in the email. Im surprised GitHub provided links an an email and expected users to clink on them. Thats encouraging a poor practice. GitHub should know better.

I changed my password on a desktop, but can still access the app on my android phone WITHOUT having to enter my new password.

Not sure why my last attempt at making that point was moderated out.

The above isnt contingent on being signed in to your Google account, but Google collects based on IP address and IMEI-number, which it combines with data from all it partners and affiliates who collect these via their websites if they display adsense or double click, so that Google has an ultimate database of a persons interests and behaviors, which it sells, so that websites and services can continue to be used free of charge. What a cost these free services have cost the individual!

eBanking Best Practices for Businesses

Today the AD appears to have been removed from google search results.

A message posted this afternoon (and still present as a pop-up) warns all users to change their passwords.

Received a message from Github as well, but only on one of my accounts that has been created in the last two months.

I just set up an open source add-on for an open source tool.

Or if you dont trust links in blogs like this (I get it) go to and change it from there. And then come back and read the rest of this. Well wait.

Interesting I didnt get that message.

Leave a Reply