TwittFail

[zanes]

How is possible to hack Gmail account?
Twitter confidential document leaks by Gmail.

[MrGamm]

It's really quite easy... First off... there is a high demand from employers to monitor employees machines, so remote admin features along with key stroke recorders make what you type into your computer accessible to basically anyone with the predisposition to check you out.

Add to the fact that any number of pirated pieces of software are the ultimate distribution network of malware... Need to steal a credit card number? Upload a popular piece of software with a piece of malware into it...

Then, there are network packet sniffers, which is not my area of expertise... so I will lay off it...

Then there are weak password...

Your question in particular is sort of similar to asking a victim what they were doing walking down the street to get them mugged... or asking a woman in a women's shelter what she did to anger her husband... or asking a car owner what they did to get their car stolen...

Finally... there are Public Relation agendas... whose to say the documents where even stolen? Why not give the public a pre-planned assessment of a company to save them from the chopping block and put them into martyr stardom status?


Oh... and gmail is free... so why should it be in anyones best interest to protect your mail and it's contents? They need to serve adds with those emails correct? If it had the postini encryption... well... it's anybodies guess and the things I mentioned above still apply...

Why not bump up to a mail services in which an individual can train you on how to use PGP... or something similar? I have heard it is amazing and it's freeware to my knowledge...

[zanes]

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

btw, Gmail is not free.