Michael Jay Lissnerhttps://michaeljaylissner.com/2009-10-02T20:37:12-07:00Google Resonds to the Twitter Attack2009-10-02T20:37:12-07:00Mike Lissnertag:michaeljaylissner.com,2009-10-02:posts/2009/10/02/google-responds-to-the-twitter-attack/<p>A few months ago, Twitter was hacked by means of a <a href="http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/">clever,
yet somewhat obvious approach</a>. Today, I saw the following alert on my Gmail
account, ensuring that this security vulnerability is fixed. I’m often
impressed by Gmail, but this is great to see:</p>
<blockquote>
<p>Hey, this is important: If you ever lose access to your account,
you can send password reset info to [myemailaddress@michaeljaylissner.com].
This address is correct | Update this address</p>
</blockquote>
<p>What happened in the case of Twitter was that a hacker did the following:</p>
<ul>
<li>Figured out the Gmail address of a Twitter employee</li>
<li>Went to <a href="https://www.google.com/accounts/ForgotPasswd?service=mail&fpOnly=1">Gmail’s password reminder</a>, and requested a reminder</li>
<li>This informed the hacker that an email reminder was sent to a specific
Hotmail address</li>
<li><strong>That Hotmail address had been automatically closed due to disuse</strong></li>
<li>The hacker set up that email account, since it was now available</li>
<li>The hacker then requested another password reminder, which summarily sent an
email to his new Hotmail account</li>
<li>This gave the hacker complete access to the Twitter employee’s gmail
account (and thus a lot of other stuff)</li>
</ul>
<p>The new alert that Gmail is now popping up should serve the function of
updating this, and, if done correctly, should fix this problem permanently.
Well done Gmail.</p>