Well, today morning I woke up to a barrage of ‘Iz How?’ messages from my friends.
Rimbui, Msupa, Archer, Zack, Mumbi, Vuyanzi, Lisege etc were all in lamentation.
Seems that someone/something had gained access to my Twitter Account in the hours between 6am and 9am and was sending them ‘funny’ links.
We are not speaking Funny, HAHA here. But links with Spam content, porn and Man U games highlights. The kind of things we ALL abhor. I was stuck between being embarrassed and impressed by the ‘hacker’. So i decided to investigate.
This article should actually be on TechMataa.com‘s Hacking and Security Section, but I will post it here, and there, later.
So, How can this happen?
When it comes to site passwords [gMail, Google, FaceBook, Twitter, Ngwati etc], there are ONLY 3 ways that your account can be used by someone else without your permission:
- Someone using an active session from a machine you have used but forgotten to log out of. e.g. A CyberCafe. This is the most common one.
- Someone guessing/sniffing your password. If you use public spaces [iHub, NaiLab, KICC] and don’t have a complex password, this will happen. People will sniff your password if you are not using HTTPS.
- 3rd party sites that you have allowed account access getting compromised. The site hacker now has access to YOUR account.
What twitter recommends:
Twitter has a support page for people whose account has been ‘hacked’. I won’t copy-paste here and try to sound all-knowing. Read from there and learn.
My additional thoughts:
- Services like Google and WordPress offer you a link to ‘Log Out All Sessions’, even from machines you don’t/can’t access. Twitter does not, AFAIK. Always log out before leaving! Don’t allow public browsers to ‘Remember Password’
- A paranoid solution to password sniffing is to always use twitter HTTPS, although this will make your sessions slower and make twitter servers busier. HTTPs should be used sparingly and only on actions that REALLY require a secure connection.
- Use a strong password. Yes, this was my mistake. We know this is ONLY twitter. Not your server, or email. But use a strong password. My old password had not been changed since 2009 and it was something like salim123. Very easy to guess and brute-force. I know. I am totally ashamed by this. Learn from my mistakes. Your password should have at least a special character, caps and numbers. E.g. &mAdemw@Kenya! or #manUniM%sh0_ga.
- Allowing access to third-party sites is a good things as it saves you from having to log in every time you need to use their services. However, be careful who you allow! Don’t allow perpetually, and occasionally, go to the twitter page for App permissions and see who you don’t need to allow any more and revoke the access.
Back to code…