What happened with Twitter’s password vulnerability?

Kim Crawley
Cybersecurity journalist at Cylance, AlienVault, Tripwire, Venafi
May 3rd, 2018

Twitter announced that they discovered a vulnerability in how they store the passwords for all 330 million accounts, one of which is mine. It’s very likely that one of them is yours too, all Twitter accounts were affected.

Ironically, this glitch was discovered on World Password Day. Reality is stranger than fiction!

Twitter Chief Technology Officer Parag Agrawal made an announcement on Twitter’s blog. On a completely unrelated and egotistical note, it appears that I have more followers than Twitter’s CTO! As of this writing, I have 6,298 followers and Agrawal has 4,636. Anyway, here’s some of what Agrawal wrote:

“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

I initially learned the news from Brian Krebs’ tweet.

In honour of my much better known peer, I went to Krebs’ blog to see what he had to say about this.

“This may be much ado about nothing disclosed out of an abundance of caution, or further investigation may reveal different findings. It doesn’t matter for right now: If you’re a Twitter user and if you didn’t take my advice to go change your password yet, go do it now! That is, if you can.

Twitter.com seems responsive now, but some period of time Thursday afternoon Twitter had problems displaying many Twitter profiles, or even its homepage…

If for some reason you can’t reach Twitter.com, try again soon. Put it on your to-do list or calendar for an hour from now. Seriously, do it now or very soon.

And please don’t use a password that you have used for any other account you use online, either in the past or in the present. A non-comprehensive list (note to self) of some password tips are here.

I have sent some more specific questions about this incident in to Twitter. More updates as available.”

Unlike Brian Krebs and many other people, I had no problems with changing my Twitter password yesterday, nor did I have any problems accessing any part of Twitter via the Twitter app on my Android phone, or on my desktop in my web browser. I suppose that’s just my stupid luck, running and maintaining a massive social network across multiple datacentres like Twitter is a highly complex thing. And the more technically complex something is, the more likely things are to go wrong. I know for a fact that it was easier to produce the NES and SNES video games I played as a kid without noticeable bugs, whereas it’s impossible for 20+ GB PS4 and Xbox One games to be bug-free.

The risk in Twitter employees being able to see our passwords in plaintext for a period of time was relatively minor. But a rogue Twitter employee could still do a lot of harm with that information, and it’s a good idea for all of us to change our passwords. I made sure that my new Twitter password didn’t resemble my old Twitter password in any way.

Speaking of World Password Day and Twitter, I had a bit to say about it. Yes, on Twitter.

Yes, implementing DNA biometrics on our phones, with our PCs and servers, and in IoT devices can be very creepy, and abusing our DNA data can have terrible consequences. But if done right, it can be the future of everyday biometric authentication and superior to fingerprint scans in reliability. I’m not a geneticist, but I think identical twins and triplets may have identical DNA. And maybe full human cloning will become a thing at some point. Aside from the potential to abuse DNA data, those are some of the bugs to be worked out. But I for one welcome the opportunity to lick a part of my phone in lieu of entering a password. It’s not like I don’t (accidentally) lick my phone already. Then a second factor can be implemented with improved iris scanning. I think identical twins have slightly different iris patterns?

Anyway, passwords are crappy. People forget them. Blunders like Twitter’s happen. People make insecure passwords so they can remember them more easily. People also make passwords that are so difficult to crack that they easily lose them. Password managers solve some of these problems, but then there’s one point of attack to breach all the passwords you use.

The password is dead. Long live the password!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.