Here’s how the current security ecosystem works: benevolent or malevolent security experts find a vulnerability, the tech press covers it, users get upset, and the vulnerability is patched quickly. Today, a key Twitter vulnerability has been made public, and we’d sure like to see it fixed. John Herrman over at Buzzfeed details the seedy underbelly of the internet where Twitter handles are stolen and sold, often for under $100. The scariest part? These Twitter handles are being hijacked with the most basic hacker technique: brute-forcing the password on Twitter’s own public site.
Hackers who want an “OG” (single word, desirable) Twitter handle only need appear like they’re trying to log on from different IP addresses. Most websites use CAPTCHAs to prevent repeated logins, but Twitter only prevents large numbers from login attempts from the same IP address. It’s easy to route your IP address to look like you’re coming from a different computer, and that’s the approach these Twitter hackers use. Of course, when resisting a brute force attack, it helps if you’ve got a secure, non-common password that’s pretty long. If you’ve got a great Twitter handle, you should be using a secure password.
Take a look at the whole story over at Buzzfeed.