Wednesday, January 07, 2009

Twitter: security that leaves you twitchy

There have been several reports of the hacking of several Twitter accounts belonging to some famous people. Britney Spears' one was left with a message saying "Hi Yall. Brit Brit here, just wanted to update you all on the size of my vagina. It's four feet tall and has razor sharp teeth;" CNN newsreader Rick Sanchez had a post saying that he was high on crack and not going to work; and the Fox News Twitter site had a new post simply claiming newsreader Bill O'Riley was gay. The hackers even gained control of the First Twitter to-be and posted a message on President-elect Obama’s site asking readers to click onto a new website to do an Obama survey.
The hack originated in a hacker known as GMZ, who was able to use an automatic password generator (Twitter allows unlimited attempts to log on) to enter into a profile of a staff member called Crystal. The hacker thought that the account belonged to somebody famous but then it found that the employee (whose password was Happiness) had access to all profiles and passwords, so he changed the passwords to the 33 accounts and provided them to members of hacking forum Digital Gangster, who infiltrated the websites.
While not real damage was done, the issue could have been more serious and is not to be taken lightly if we take into account that Twitter was hit recently was a phishing scam too, especially if we observe that there could be several routes making Twitter liable in case of damages…the problem for Twitter is that it seems to not be following some basic forms of security, now standard in the market, that would make difficult for them to claim that they are using reasonable care and skills in the provision of their service. Somebody may quickly argue that following the language of s. 13 of the English Supply of Goods and Services Act 1982 is not correct because the company is not located in England and, if it were, the user does not provide consideration to have a contract with Twitter. However, and leaving the issue of jurisdiction appart (but remembering LICRA v. Yahoo!), if courts decide to find liability (I have always suggested that more times than not, courts decide whatever they want and then they make up the arguments to justify it), they could find that the effort required to set up Twitter represents enough consideration as the court find that inhaling the smoke of the smoke ball was enough consideration in Carlill v Carbolic Small Ball Co (1892). Even courts don’t find consideration, such a lack of care (not allowing unlimited attempts for a password and requesting members of staff with access to all accounts to have very strong passwords are very common/basic security measures that an IT company must follow) would probably attract some form of liability in negligence, what is what should start happening if IT companies are treated as the rest of mortals…

No comments: