Using “googol” in a sentence

An email went around the Engineering department at work discussing security and keyed hashes. We take security seriously, but that doesn’t mean we can’t joke around. A VP responded to the security email by suggesting we could prevent the vulnerability outlined in the referenced article by disabling logins for accounts that have more than 1 trillion login failures.

Being the contrarian that I am, I had to throw in my two cents about his proposed solution:

It’s frustrating when you try to log in a trillion times, can’t remember your password, get locked out, and then have to contact support to get your account unlocked.

The number of login attempts should definitely be set to a more reasonable number, like a googol. If I can’t guess my password in 10,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 attempts, I’ll probably break down and contact support.

I thought it was worth sharing because it’s not every day I get a chance to use googol in a sentence.

Twitter Security Issue

UPDATE: The primary issue described in this post has been fixed. You can only change your email address after inserting your password.

I recently discovered a serious security issue on Twitter. Let me tell you the story.

Taking over an account

Someone started a Twitter account with the sole purpose of mocking me. It took me quite a while to find out who it was. Since practically everyone enjoys a good joke at my expense, the suspect list was quite long. But finally, I received information from a good Samaritan who did some investigating that was out of my reach.

I confronted the individual, a friend of mine, and asked him to turn over the account that was tarnishing my reputation (many people thought I was behind the account, leading them to believe I was pretentious and egotistical). After a few hours of instant messaging and agreeing to some terms (such as anonymity), he gave me access to the account. Upon logging in, I immediately changed the password, logged out, and logged in with the new password to make sure it took.

A day or two later, the user popped up on my radar again by mentioning my name in a tweet.

How did he get access to the account?

My first thought: I’m an Idiot! I forgot to change the email address in the account settings! If my friend went through the password reset steps, he could easily regain control of the account. I tried logging in with the password I had recently set, and it worked. I changed the email address and changed the password again. Then I contacted my friend about it, admitting my idiocy regarding the email settings. He said he hadn’t thought to go through the “Forgot password?” steps.

Then how did he get back in?!

He told me he had left his browser window open. The morning after yielding control of the account, he went back to the browser and it still worked!

This is where it gets SERIOUS

Let’s imagine, hypothetically, that you give your password to a 3rd party application. If the application’s owner uses that password once and saves the session cookie, they can store the session cookie and re-create it at any time in the future even if you change your password (There are even browser plug-ins that allow you to read and write cookies).

This means they can get back into your account whenever they want, indefinitely. They can post tweets, read your DMs, follow other users on your behalf, etc.

What’s worse, they can lock YOU out of YOUR ACCOUNT!

If you type in your password every time you go to Twitter.com (even if your browser “remembers” it), an attacker can take complete control over your account. The “remember me” checkbox will give you the same permanent access to your account that your attacker enjoys. So how can they take over your account? You can change your email address without typing your password! If an attacker is in your account, changing your password won’t stop them from kicking you out. They can change the email to their own address, log out, and request a password reset from Twitter. They send an email to you and you can click the link to reset it.

How to stay safe

As far as I know, there is nothing you can do to prevent this from happening to you, aside from never giving anyone or any application your password.

Twitter needs to use a smarter session cookie that is in some way linked to the user’s password or have another way of killing other sessions if you log out. Twitter should also consider using per-user API keys for users to give to 3rd party applications, instead of authenticating with your password.