onelittlewindow

So, here’s an interesting tidbit for all you aspiring Twitter hackers . . .

As some of you may know, the OWASP DC Chapter just announced that the US AppSec for 2009 will be hosted in Washington DC this coming November.

In preparation for this, I had registered a twitter account, @AppSecDC the day before on the 21st.

All seemed well, but as I was waiting to make the announcement, and wanted the account to remain “invisible” from the twitter stream, I didn’t make any tweets on it. I did however enter the account information into several different twitter clients on several machines without issue.

After the OWASP meeting this evening, I went to send out the inaugural tweet from the new appsec account — only to be told by Tweetie (a Twitter client app for the uninitiated) that it couldn’t authenticate the account. When I tried through the web, I got a message that the account was locked out. I decided this was curious, but not initially suspicious, as if I had typed it into my Twitter client wrong and it had been sitting there all meeting long trying to update, it might not be surprising if it had gotten locked out. I made the call that I would investigate when I got home.

Upon getting home, I was fairly surprised to see that I still couldn’t log in. At this point, I started getting a tad suspicious. Could Mikeyy or his ilk have figured out a clever way to hack my account . . . before it had ever done anything? Being in AppSec unfortunately can make everything you do a target to some folks. Looking up the account, I was surprised to see that the handle displayed was now different! I know that you can change the handle on an account, but the change seemed . . . well . . . very unhackerly. Who was going to hack our account and change the “real  name” to “Nancy?”

However, it did appear that for whatever reason, @AppSecDC was now coming up as @iwantsamoa. Trying a password reset didn’t work, implying that the email address in the user profile had been modified as well.

(more…)