Twitter files leaked in ‘cloud’ lapse - Potential security weakness in internet-based software

Twitter files leaked in ‘cloud’ lapse - Potential security weakness in internet-based software
By Richard Waters and Joseph Menn in San Francisco
Copyright The Financial Times Limited 2009
Published: July 15 2009 23:53 | Last updated: July 15 2009 23:53
http://www.ft.com/cms/s/0/21d018e6-7190-11de-a821-00144feabdc0.html


Twitter on Wednesday fell foul of a potential security weakness that lies at the heart of “cloud”, or internet-based, software applications, leading to the leak of a raft of internal documents from the internet start-up.

The leaked documents included a forecast of Twitter’s projected annual revenues in 2013. It was one of more than 300 internal Twitter documents that TechCrunch, the online news site, said it had been sent by an anonymous hacker.

The documents were taken from an account that a Twitter employee held at Google Apps, a online service that replicates many of the features of standard PC software but relies on users storing their data on Google’s own servers.

Google and Twitter, both of which rely heavily on internet users’ confidence in the security of web services such as this, were quick to deny that the leak had exposed any deeper flaws in the use of online applications, known as “cloud computing”.

However, the embarrassing leak from Silicon Valley’s most closely-watched start-up has highlighted a common security flaw that has become a concern to other companies whose employees submit confidential corporate information to “cloud” services.

The applications are generally protected only by simple passwords, which most computer security professionals view as notoriously vulnerable. Also, the mechanisms that internet companies use to grant access when users forget their passwords are also subject to abuse, since they are often based only on answering straightforward “security questions”, such as supplying a mother’s maiden name.

Mike Arrington, founder of TechCrunch, claimed that Google’s own security was inadequate, since in some instances it was possible for hackers to recover another user’s password just by answering a security question. “They have a password recovery mechanism we think is flawed,” he said.

Google defended the security of its online applications, but also took the opportunity to encourage its regular users to revisit its site and update their settings to make them more secure.

In a blog post explaining the leak, Twitter also revealed that a hacker had been able to access the Amazon.com and PayPal accounts of Evan Williams, one of its founders, by gaining access to his wife’s e-mail. According to Mr Arrington, Mr Williams had used his dog’s name as the answer to one online security question.

The growing use of online applications has played into the hands of criminals seeking sensitive information, who increasingly use password recovery tools to hack into personal online services accounts.

Studies have demonstrated that a large proportion of security questions can be guessed by acquaintances, those with access to personal pages on social networks, or people checking public records or making multiple guesses based on statistics.