We’ve received multiple tips right around 10 pm that Twitter was hacked and defaced with the message below. The site is currently offline. We’re looking into this and waiting on a response from Twitter.
The message reads:
Iranian Cyber Army
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.
Twitter does not have the best record with security issues.
Update 2.: Twitter.com is down, status.twitter.com is down (not useful, perhaps they should host it at blogger).
Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.
Update 4.: There is a history between Iran and Twitter.
Update 5.: There is speculation at the moment that this may be a DNS redirect, which means that the Twitter.com domain has been redirected to the defacement page.
Complete and for updates, go to http://www.techcrunch.com/2009/12/17/twitter-reportedly-hacked-by-iranian-cyber-army/
From Twitter status:
Working on site outage 1 hour ago
We are working to recovery from an unplanned downtime and will update more as we learn the cause of this outage.
Update (11:28p): Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.
Known issues: timeline delays and missing tweets. Retweet back up. 14 hours ago
We are aware of and investigating the causes of timeline delays and missing tweets. Retweet is back up and fully functional.
Dec 14th Mon
SMS service temporarily unavailable, we are working on the problem 3 days ago
Posting tweets via SMS is currently unavailable. Some tweets are also not being delivered via text (the outbound service). We are actively working on the underlying cause of both problems and hope to restore service soon.
Update (12/14 6:30pm). The issue has been resolved.
From Twitter Blog:
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
Twitter (not) hacked by Iranian Cyber Army
The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says
"As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully."
This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.