Twitpic has patched a vulnerability that saw Britney Spears’ Twitter account report her death a few hours ago.
The tweet, which read “Britney has passed today. It is a sad day for everyone. More news to come”, was accompanied by a Twitpic link. Britney Spears’ management and Twitpic both acted relatively quickly to resolve the issue. Approximately two hours after the initial tweet Britney’s account had deleted the message and posted
“Britney’s Twitter was just hacked. The last message is obviously not true. She is fine and dandy spending a quiet day at home relaxing”.
Of course, in the two hours from posting the tweet had been retweeted hundreds of times.
Meanwhile Twitpic posted the following information at their account:
“Regarding @britneyspears‘s latest twitter post this is NOT true. We have discovered a vulnerability in our mobile posting system…”
“…where someone can brute force someone’s twitpic email address (i.e. guess their PIN number by trying every combination)…”
They later added: “We’ve implemented a fix for the email posting vulnerability, a full blog post explaining the issue will be released soon”.
Interestingly, the first two of these tweets have since been deleted but still show up on Twitter Search.
Although the promised blog post explaining the vulnerability has not yet been published, it’s possible that it relates to Twitpic logins requiring using Twitter login credentials but not via Twitter’s OAuth system. If this is the case, it means that anyone who successfully hacks Twitpic would have full access to the compromised Twitter account. It’s another example of why all Twitter tool developers should be using OAuth.
Update: Although Twitpic have yet to post more complete details of exactly what happened in this specific case (which also saw other celebrity accounts hacked), a commenter to this post has given some more details on how the exploit works. ”
“The TwitPic vulnerability is dead simple – send 9999 emails to Twitpic, updating the PIN (firstname.lastname@example.org, email@example.com, etc.) And you eventually hit the PIN combination. This would never reveal one’s Twitter username and password.”
If it’s as simple as that it’s amazing this didn’t happened sooner.
Read next: Vodafone looking to gobble up T-Mobile UK