The Hacker News — Cyber Security, Hacking, Technology News

Twitter is urging all of its 330 million users to change their passwords after a software glitch unintentionally exposed its users' passwords by storing them in readable text on its internal computer system.

The social media network disclosed the issue in an official blog post and a series of tweets from Twitter Support.

According to Twitter CTO Parag Agrawal, Twitter hashes passwords using a popular function known as bcrypt, which replaces an actual password with a random set of numbers and letters and then stored it in its systems.

This allows the company to validate users' credentials without revealing their actual passwords, while also masking them in a way that not even Twitter employees can see them.
However, a software bug resulted in passwords being written to an internal log before completing the hashing process—meaning that the passwords were left exposed on the company's internal system.

Parag said Twitter had found and resolved the problem itself, and an internal investigation had found no indication of breach or passwords being stolen or misused by insiders.

"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," Parag said.

"We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

Still, the company urged all of its 363 Million users to consider changing their passwords to be on a safer side.

How to Reset Twitter Password

In order to change your password on Twitter, click on your Profile Picture icon given in the top-right corner, then go to Settings and Privacy → Password. Now, type your current password, and enter a new one, and try keeping it stronger.

For the Twitter app for iOS and Android, click on your Profile Picture icon in the top-left corner, and then go to Settings and Privacy → Account → Change Password ("Password" on Android), and create a new, stronger password.

You should also change the password on all other services where you have used the same password.

You are also advised to enable two-factor authentication service on Twitter, which adds an extra layer of security to your account and help prevent your account from being hijacked.

Facebook, Instagram, Twitter, VK, Google's Picasa and Youtube were handing over user data access to a Chicago-based Startup — the developer of a social media monitoring tool — which then sold this data to law enforcement agencies for surveillance purposes, the ACLU disclosed Tuesday.

Government records obtained by the American Civil Liberties Union (ACLU) revealed that the big technology corporations gave "special access" to Geofeedia.

Geofeedia is a controversial social media monitoring tool that pulls social media feeds via APIs and other means of access and then makes it searchable and accessible to its clients, who can search by location or keyword to quickly find recently posted and publicly available contents.

The company has marketed its services to 500 law enforcement and public safety agencies as a tool to track racial protests in Ferguson, Missouri, involving the 2014 police shooting death of Mike Brown.

With the help of a public records request, the civil rights group found that Geofeedia had entered into agreements with Twitter, Facebook, and Instagram for their users' data, gaining a developer-level access to all three social networks that allowed them to review streams of user content in ways that regular users of the public cannot.

The Denver Police Department recently signed a $30,000 annual deal with Geofeedia.

Here's what the major tech giants offered Geofeedia:

• Facebook allowed the company to use its "Topic Feed API" that let Geofeedia obtain a "ranked feed of public posts" centered around specific hashtags, places or events.
• Instagram provided Geofeedia access to its API (Application Programming Interface) that is a feed of data from users' public Instagram posts, including their location.
• Twitter provided Geofeedia with "searchable access" to its database of public tweets. However, Twitter added additional contract terms in February to try to safeguard further against surveillance, and when found Geofeedia still touting its product as a tool to monitor protests, Twitter sent Geofeedia a cease and desist letter.

Facebook, Instagram, and Twitter have all moved to restrict access to Geofeedia after learning about the tool's activities when presented with the study's findings.

The ACLU is concerned that Geofeedia can "disproportionately impact communities of color" by monitoring activists and their neighborhoods.

Nicole Ozer, technology, and civil liberties policy director for the ACLU of California said: "These special data deals were allowing the police to sneak in through a side door and use these powerful platforms to track protesters."

However, in response to the ACLU report, Geofeedia posted Tuesday an article justifying its commitment to Freedom of Speech and Civil Liberties, releasing the following statement:

"Geofeedia has in place clear policies and guidelines to prevent the inappropriate use of our software; these include protections related to free speech and ensuring that end-users do not seek to inappropriately identify individuals based on race, ethnicity, religious, sexual orientation or political beliefs, among other factors."

Facebook said in a statement that Geofeedia only had access to publically available data, while Twitter said it was suspending access shortly.

The ACLU is encouraging social media companies to adopt clear, public, and transparent policies prohibiting developers from exploiting user data for surveillance purposes.

Guess What? Someone just downloaded Twitter’s Vine complete source code.

Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.

Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle.

Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate.

However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online.

While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.

Using Censys, Avinash found over 80 docker images, but he specifically downloaded 'vinewww', due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.

After the download was complete, he ran the docker image vinewww, and Bingo!
The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. "Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote.

The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.

Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.

Snowden's Twitter bio reads, "I used to work for the government. Now I work for the public. Director at @FreedomofPress."

He writes, "@neiltyson Thanks for the welcome. And now we've got water on Mars! Do you think they check passports at the border? Asking for a friend."

But, What exactly Diffy is?

"The premise for Diffy is that if two implementations of the service return 'similar' responses for a sufficiently large and diverse set of requests, then [both the] implementations can be treated as equivalent, and the newer implementation is regression-free," said Puneet Khanduri, a member of Twitter's tools and frameworks team.

"[Facebook] just passed an important milestone," Zuckerberg wrote in a Facebook post on Thursday. "For the first time ever, one billion people used Facebook in a single day."

Feeling Connected Indeed!

In the Security and Privacy section of its support site, Twitter says that it will be "collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in."

• For iOS device users, disable this through setting -> account -> privacy -> "Tailor Twitter based on my apps."
• For Android users, settings -> account -> other -> "Tailor Twitter based on my apps."

• MoPub – It is a mobile advertising platform bought by Twitter for $350m last year. It will help developers monetise their products on the Twitter platform.
• Crashlytics – Crash reporting service, Crashlytics, bought by Twitter for $100m in 2013, will help developers test and build their apps as well as debug them.
• TwitterKit – It enables apps to integrate into Twitter for streamlining real-time information. For example, the popular transport app Citymapper will now Tweet live updates from San Francisco’s Bart train system to users. TwitterKit allows developers to embed Tweets natively, as well as allows users to log into apps via Twitter.

"Fabric was built with ease of use in mind," Twitter's director of product, Jeff Seibert, wrote in a blog post. "Installation takes just minutes, and most features only require a few lines of code—so you spend less time managing SDKs and more time building the best experience for your users."

“Twitter and so on, we will root them out. The international community can say this or that – I don’t care. They will see the power of the Turkish Republic.”

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

"Since mid-January, we have been protecting your emails from Twitter using TLS in the form of StartTLS. StartTLS encrypts emails as they transit between sender and receiver and is designed to prevent snooping. It also ensures that emails you receive from Twitter haven’t been read by other parties on the way to your inbox if your email provider supports TLS."

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

We recommend you to:

1. DO not click the link.
2. DELETE that message
3. ONCE REVIEW all the application you have allowed in your twitter profile, Here.
4. REVOKE access of the suspicious applications immediate.