1

I'm doing a security investigation for a friend of mine, working a bit of a Sherlock Holmes here... Trying to figure out a possible hack scenario for the following:

  1. My friend receives a "screw you and your Twitter profile" message on a vBulletin-powered message board, where no one know who she is.
  2. After a while she notices someone changed her profile picture on Twitter.

The message board does not use any Twitter oAuth connected accounts or anything similar, her forum username was some unreal "abracadabra" nonsense name, which is not "personally identifiable". Her forum profile is empty. The only real thing in the profile was - her email.

The only possible scenario that comes to my mind is:

  1. Someone used an exploit on vBulletin to get her real email address or otherwise accessed her account (via Brute force etc)

  2. Figured her Twitter account by email address (for instance, by generating a Gravatar picture out of email and then performing a Google search "by image")

  3. Used some well-known (in the underground circles) exploit for some Twitter "app" she had connected in her account.

Do you see any other possibilities?

PS. Too bad Twitter has no login audit...

PPS. I'm not searching for instructions "how can you hack someones' Twitter", I'm trying to find (based on the scenario), how can we secure her other data (if he hacked Twitter - who knows what else can be compromised).

PPPS. Some background info about the person to rule out the obvious: she' a software engineer and CEO of a small software shop, not your average "Nancy homemaker", she's on a mac (not windows), uses 2-factor on most account (gmail, amazon-aws etc, but not twitter), uses a pwd manager with 2-factor. Her forum pwd was really weak (6 letters), her Twitter pwd was kinda strong.

Serge Shultz
  • 111
  • 4
  • 1
    Either that or a real life friend is playing a prank – KingJohnno May 26 '15 at 21:32
  • @KingJohnno Nope, definitely not a friend. Also, a real life friend who knows her password?? She's a CEO of a big software company BTW, former software engineer, not your average forum kido – Serge Shultz May 26 '15 at 21:35
  • 1
    "When you see hoof prints, think 'horses' not 'zebras'." The message on the bulletin board likely came after the attacker had access to her accounts. Don't look at Twitter - look at her email account. – schroeder May 26 '15 at 22:07
  • 1
    Your questions are all over the map. First, "Am I missing something?" referring to figuring out *how* the hack was pulled off, then you ask how to secure her other data and next steps. In your comment to LvB's answer, you are actually not looking to secure her Twitter, but wondering what other info can be compromised by a hacker that got into her Twitter and knows her email. Can you please state as clearly as possible what you are trying to accomplish? We've already got two answers about how to secure her Twitter, so we're unclear. – armani May 26 '15 at 22:11
  • @armani funnny how everyone is answering questions in the "PS" section, overlooking the core point. Ok, sorry guys, I might be a bit stressed investigating this. Rephrased the question. I'm trying to reverse-engineer the attack (to see the risks/damage) – Serge Shultz May 26 '15 at 22:26
  • 2
    @SergeShultz what if the attacker gained access to her email account *first*, discovered the message board and the Twitter account details from there? I think you may be making a large assumption as to the sequence of attacks. As we do not have any hard details, we too have to make assumptions, making this question impossible to answer definitively. – schroeder May 26 '15 at 22:33
  • @schroeder ruled this out since her email uses 2step auth (gmail) – Serge Shultz May 26 '15 at 22:34
  • I would double check that., especially Italy since Google does offer a login audit option. – LvB May 26 '15 at 22:35
  • 1
    Btw are we right in assuming there is no password reuse anywhere with her accounts? – LvB May 26 '15 at 22:36
  • 1
    And she only has that one email account? nothing linked to her iCloud, etc.? There is simply too many vectors to consider. – schroeder May 26 '15 at 22:36
  • @LvB I did, also reviewed the Gmail login log, nothing suspicious. I'm working on this for the last 10 hours now, tried many options, the reason I posted here - is cause I'm out of ideas, thanks everyone, for trying to help. – Serge Shultz May 26 '15 at 22:37
  • Is there a password manager she uses at could have been "stolen"? – LvB May 26 '15 at 22:41
  • Have you checked her system? It is very possible that an xss attack hijacked the session or possibly get root on her system. Otherwise, this makes me think of this guy: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ and also this: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ – Someone.Else May 26 '15 at 23:21
  • Thanks everyone for your input, some valuable stuff in the comments, they gave me some ideas. I've added some background info to the question, also upvoted the answers, will let it hang here for a while then will mark as accepted if no other answers added. – Serge Shultz May 27 '15 at 07:04

1 Answers1

3

I do not know of a way to retrieve who did this short of asking Twitter. As to prevention, demanding on availability you could tell your friend to enable 2 factor authentication This will make any login attempt more noticeable due to getting a sms.

More about security on Twitter you can find on Twitter Security Center


We can only guess what happened without twitters assistance. But a short list of possible attack vectors are

  • session hijacking / stealing
  • password / account guessing
  • xss attack

Most likely if she used a link on the forum it was a xss injection through a remote script.

Session hijack or stealing is likely if the forum itself was compromised (and added malicious scripts to the pages to enable this)

Password / Acount guessing is most likely in the other cases. (This includes brute force)

LvB
  • 8,217
  • 1
  • 26
  • 43