Ronny Lam

about://tech

How I Lost My Twitter Username

Somehow I was stunned by this story of Naoki Hiroshima losing his Twitter Username “@N”. As we know from the past some people find it a game to target short Twitter handles, just for fun. The same happened to Mat Honan a couple of months ago.

The big problem here is chain-hacking. The attacker is using a weakness in one or more other systems to get the right information or change things in order to get to the target. In the case of Mat Honan it was a combination of process vulnerabilities in both Amazon and Apple. In the case of Naoki Hiroshima it is a combination of process vulnerabilities in PayPal and GoDaddy. The trick here was that the attacker would gain and take over access to Naoki’s GoDaddy account and could change the MX-records to reroute Naoki’s email-delivery. When using custom-domains to authenticate account information on certain websites this is indeed a vulnerability and is as strong as the security of the registrar of your domain.

Naoki’s suggestion is a good one. Do not use your custom domain to register with websites, but use a gmail account. One of the commenters also suggests that if you use Google Apps you can use the username@my-domain.com.test-google-a.com domain to register. Key here is that it is almost impossible for an attacker to forge the Google DNS.

When asking my own registrar MijnDomein for a response the reply was that this was nearly impossible here because transferring a domain requires a token. The responser obviously did not read the article. My question is what their policies are when someone calls them, crying, that he or she cannot access their account anymore. And comes up with some vague details that everyone can find on the web.

The problem is that chain-hacking is hard to fight. There is always some individual in a company that is vulnerable to die-hard social engineering.

Comments