Twitter feeling the pains of success

Recently, Twitter settled a case with the FTC that it failed to adequately protect its users’ data and privacy.  From PogoWasRight:

The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter, including access to tweets that consumers had designated private, and the ability to send out phony tweets pretending to be from then-President-elect Barack Obama and Fox News, among others.

In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter’s login webpage. The administrative password was a weak, lower case, common dictionary word. Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News.

According to the FTC’s complaint, Twitter was vulnerable to these attacks because it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:

  • requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
  • prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
  • providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
  • enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
  • restricting access to administrative controls to employees whose jobs required it; and
  • imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Under the terms of the settlement, Twitter is barred from misleading the public for 20 years about the extent to which it maintains and protects privacy and security of the consumer (this leads me to two questions: (1) I guess after 20 years it’s okay for Twitter to mislead the public, and (2) Why does the government even have to force Twitter to do this?).

The above administrative controls are pretty standard in large organizations that have been dealing with security for a while and have comprehensive security policies.  Locking people out of their accounts after failed password guessing attempts have been around for a long time, especially for banks.  Restricting access to admin controls by IP access allows firms to prevent any old person from logging in from anywhere.  This can be inconvenient for traveling employees, but you can get around that by using technology such as key fobs with time sensitive keys.

This is a matter of a small company growing too quickly and not being ready for the amount of ways it could be exploited.  When you start off a company, you’re more worried about getting a product up and running and not thinking too much about security, you’re thinking of ways to allow your employees access to keep the service going.  It’s only later that security comes into play (most of the time).  This boils down to user experience (ie, of the employees of the company and their lack thereof).