Twitter users — especially those with desirable handles — risk having their accounts stolen, according to one recently hacked user who said that there's a fundamental vulnerability in the service's security system.
According to Daniel Dennis Jones, whose account, @blanket, was recently hijacked, Twitter's password-reset process allows hackers to attempt a more wide-ranging, brute-force approach to breaking in to accounts than other services with more restrictive systems.
In a lengthy write-up of his recent experience, Jones said he discovered that the security system that Twitter employs limits log-in attempts by IP address, rather than by account, meaning that a hacker who's able to use multiple IP addresses can make many more tries at getting in to an account than they would be able to do if Twitter locked down all access after a set number of attempts, or if it employed two-factor authentication like Google does.
Jones' account hacker "used a program that repeatedly attempts to log in with common passwords", BuzzFeed reported in a story about his ordeal. "Most sites, including Twitter, flag or disable user accounts, or throw up a Captcha, after a certain number of failed log-in attempts. But whereas many services, including Gmail, limit log-in attempts on a per-account basis, Twitter apparently only prevents large numbers of log-in attempts from the same IP address."
Twitter did not immediately respond to CNET's request for comment.
As Jones related, he eventually discovered that @blanket, along with many other attractive Twitter handles, were being sold — often at a nominal cost — on a site called ForumKorner. However, after several attempts to get help from Twitter, he was able to get the account back, it seems, in one piece.