What, did they use the same code as Github? https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/
Twitter: No big deal, but everyone needs to change their password
Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed. Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored …
COMMENTS
-
-
-
-
Thursday 3rd May 2018 22:27 GMT tfewster
Re: FTFY
"This string is a password, right, and we have to be really careful with them. We salt and encrypt them and store them in a protected file. Ooh, look, a new iPhone is out. So, to be sure our code is working, we'll log all keystrokes for debugging purposes. Don't forget to... Wow, retina display, 10Mp camera... "
-
-
-
Saturday 5th May 2018 11:04 GMT Anonymous Coward
Really the same bug?
Is it a reasonable assumption? Or are we left to make it in the hope there's no further questions?
The github bug was relatively short-lived but the Twitter bug blog post says nothing about the time-frame and tells everyone to change their passwords (and add an extra phone-pinging to their logging-in, a monetisable opportunity made promotable by this crisis).
Conspiracies aside, until we see confirmation we should not take it as given that it is the same bug just because they happen to use the same function somewhere in the chain that might have no relevance to it.
-
-
-
Thursday 3rd May 2018 21:18 GMT Pascal Monett
Indeed, Twitter is apparently upfront about the issue and that is something that must be commended.
The fact that it is an internal gaffe and (allegedly) no data was actually leaked is a Good Thing (TM). The fact that Twitter still came out with the issue, and the possible hit to its reputation, marks a company that is definitely not like many others.
So good on Twitter for doing the Right Thing (TM).
I'm still not getting a Twitter account, though.
-
Friday 4th May 2018 08:37 GMT Sheepykins
This is a good example of the new GDPR guideliness.
They didnt do this out of a misplaced sense of honour, they did it because they are obligated to report any infractions within 72 hours that could lead someone (even in house) to figuring out a persons identity.
Take the facebook employee recently sacked off for e-stalking women, he'd get access to their data then track them down through Tinder and other means.
Logging in to twitter gives location information, pictures, biographical info.
-
-
-
Friday 4th May 2018 08:08 GMT Doctor_Wibble
Re: Industry Standard
And note what else they have told us in the reassurances!
e.g. no indications of anyone outside the company being able to even view the file tells us nothing:
- as there was no indication of the logfile accidentally saving all these passwords completely by accident in the first place
- it could have been accessed by anyone inside the company any number of times
- how do they know, was access to the newly-discovered unknown file being logged somewhere?
-
-
Thursday 3rd May 2018 23:01 GMT Anonymous Coward
I had a Twitter account once
Occasionally I get the urge to comment on articles that use twitter for the purpose, and try to create a new account. but I always get the:~ "There is a problem with your account" banner and when I try to verify my account they demand my mobile phone number.
Don't need two factor there.
Some little social tool like Twitter is not important enough for that piece of information.
so account creation fails.
-
Saturday 5th May 2018 16:34 GMT Anonymous Coward
Re: I had a Twitter account once
So does Facebook. It let's you to create a new account without a phone number. But it forces you to add a phone number to login in on the second day. It basically holds your profile in hostage until you add your phone number. You can't continue without giving away your number.
A very shady UI pattern that should be regulated by the US, UK and EU laws maker.
Though old accounts are differently handled, a 2006 account just shows a nag screen that has to be clicked away every fucking time.
-
-
Friday 4th May 2018 01:57 GMT Anonymous Coward
Ever Heard of Code Review, Coding Standards?
This is exactly the kind of foul up that can be found in code reviews. How about a simple source code search for the uses of variables with 'password' in the name? Uses in lines of code that also have the word 'log' in them ought to be worrisome.
Typical of today's coding ethos; write crap code, get away with it coz everyone else is writing crap code too. It's cheaper to apologise later than to do the job properly.
-
Friday 4th May 2018 03:39 GMT J27
This is honestly ridiculous, this is one of the easiest things to do properly. It's a shame the public has such a low level of knowledge of basic programming techniques, because if they knew anything about this they're realize that this is like handing their personal information over to the Bozo the Clown of the web.
This is the sort of mistake that would cause a first year comp-sci student to fail an assignment, not the sort of thing you expect to see in a multi-million dollar corporation's flagship product.
-
Friday 4th May 2018 06:18 GMT Nimby
(as a best practice you shouldn't be reusing passwords anyway)
I used to rail against the stupidity of this kind of statement. Over the years I have literally collected hundreds of registrations to different websites, services, etc. How can anyone sanely expect everyone in the world to be able to REMEMBER that many unique passwords?
But recently, I realized just how easy it actually is! The trick is not to generate that many fully unique passwords. Generate one part that you remember, and one unique part provided by the service. For example:
Twitter5ucks!
Github5ucks!
Facebook5ucks!
Apple5ucks!
Google5ucks!
With this simple technique you can have a safe (assuming they stored your password correctly) and unique password for every single one of your hundreds of accounts.
My only problem was at El Reg, where I had to actually invent a new password, because they don't suck. One out of hundreds. Not so bad.
-
Friday 4th May 2018 06:37 GMT Nifty
So all websites store your plaintext passwords for batch-hashing later on?
I’d always naively thought that passwords are hashed at moment of creation, leaving no opportunity for them to be stored on a website or database unhashed. I thought that hashing & salting was a one-way process and the result is only usable for matching. Where was my naive assumption wrong?
Or: Due to a coding bug, a logfile was being written in plaintext of all passwords being created. And this logfile had been left running for years and years, long enough to acquire millions of plaintext passwords? Colour me skeptical.
-
Friday 4th May 2018 07:16 GMT sabroni
Re: So all websites store your plaintext passwords for batch-hashing later on?
The hashing runs on the server. You have to pass the password to the server for hashing. The alternative is to trust all the external devices to hash for you. You can't trust all the external devices.
That's about the size of it, afaik.
-