So, this site was hacked.
Previously, you could enter the url for anyone else’s report, & see it. These URLs weren’t public anywhere, & the backend was deliberately setup so you couldn’t just scan a directory & find them. I was aware of this, but figured the chance of randomly guessing another user’s name was low enough that it didn’t require immediate fixing. I was wrong.
What the hacker did was search for anyone who publicly mentioned The Twit Cleaner. That then gave him (because yes, I know exactly who did it) their usernames, & he could then see their report.
So, once he was viewing their report, he entered a rude message into the “Tweet my followers” box, & hit send.
That was the extent of it. Not very clever, mostly just annoying. At no point did he have access to any of our databases, your OAuth info, or any level of control over your account.
This affected around 1.6% of our customers, & the entire thing was over in 18 minutes (before I could figure out what was going on & shut down the right bits). I started by going to Twitter & killing our OAuth access, since I figured that was the most dangerous possibility – turned out it was much more trivial than that.
What damage was done
The worst affected were two close friends of the attacker (you know who you are). They got some very offensive messages posted on their accounts. Everyone else had a fairly innocuous message sent linking to another website (an innocent third party).
Why was this even possible
Ironically, the day the attack happened it was on my schedule to shut down that loophole altogether. Instead I spent a week cleaning up. There were two things I was going to do. One was to remove the option to manually enter a message on the report (because who wants to do that anyway?), two was to put security back in so you could only access your own reports.
Yep, that’s right, put the security back in. I’d had security in there a couple of weeks earlier addressing this very issue. However, in the first 6 hours it was in place, it managed to piss off 44 people, so I ripped it out again. I figured it was more important that people be able to easily see their reports, rather than just annoy people like crazy. I needed to think of a better way to implement the security, so I put it on the back burner while I worked on other things.
Obviously I made the wrong call.
What’s been done to stop this kind of thing happening again?
First, if you revoke access to The Twit Cleaner, you won’t be able to see your report. Yep, that’s kind of a pain for you – but it means that we know exactly who is looking at any given report. It means we can ensure that people only look at their own report. It also means that if any older accounts (eg, ones that used The Twit Cleaner ages back, but have revoked access) get their accounts hacked, they won’t have access to the system at all. You’d be amazed how many Twitter accounts are no longer active & thus easy targets for hackers. A LOT.
Second. We store information locally tracking that you are who you say you are. Just something to make it harder for people to try and get around the system, & no, nothing personal or incriminating, just a marker.
Third. You must be signed into the specific user of the report you want to look at.
The trick with all these kinds of things is to make it so it’s not a massive pain in the ass to use.
I think I’ve achieved that. A common issue is that Twitter (or part of it) goes down, or is inaccessible. As much as possible, I’ve made it so you’ll still be able to securely see your report (or request one).
I’ve also tried to make as much of it invisible to you as possible. There’s a lot happening automatically in the background. If you clear cookies, or move to a new browser, you will need to re-authenticate with Twitter, but I’ve made this much simpler & cleaner than before. A new window pops up, you can watch it do its thing, then it goes away again. In most cases, you’ll click two buttons & be done. Very simple.
If (when?) Twitter dies, you’ll get a little message so you can just hit the button & try again.
Obviously this happening at all is. Ahh. Hmm. Significantly sub-optimal. I was hoping for a little more time before I needed to get super hardcore about security. Security is a multi-layered, complex thing. Big chunks had already been taken care of, but obviously not enough.
As I stated at the time, I’m extremely sorry to everyone that was hit by this hacker. All affected paying customers had their money refunded.
I also apologise for the time we’ve been offline – both to existing users wanting to see their reports, & new potential users.