Twitter DNS attack

Twitter’s domain name had been hijacked recently and visitors were redirected to an unrelated site hosting the page that claimed the site had been hacked by persons with links to Iran. More details about how this was done is trickling out.

One of my friends and I were having a discussion a couple of months ago about hijacking domains and one of the things I mentioned was attacking the web application interfaces that registrars provide to manage the DNS entries. This is a very logical place to attack. In this scenario, the DNS servers themselves are not attacked. The web applications that help users manage DNS entries that are the ones that are attacked. Once someone breaks into the application, they can just change the DNS entries to anything they want.

This seems to have been the method chosen by the person or persons involved in the twitter breach. According to Dyn Inc, the service provider for Twitter, the nameservers themselves did not change. The DNS entries were changed and this indicated that someone logged in with valid credentials and changed the entries, redirecting the domain name and several sub-domains to other servers. According to Dyn, Inc., it was a valid change by a valid user.

The question that remains to be answered is this: How did the person or persons get access to valid credentials? A clue to the answer could be the fact that Dyn changed the way lost passwords were recovered. It has suspended the automated password recovery system and announced that everyone has to go through phone support to recover passwords. This indicates, not definitely though, that the credentials were stolen using the password recovery mechanism.

Anyone remember how someone broke into Sarah Palin’s Yahoo account using the recovery mechanism? Password recovery mechanisms should be treated just like authentication and they should be strong. The questions that need to be answered should not be simple ones that someone could guess the answer to.

Another way that this could have happened is if the credentials were easily guessable. Twitter was the target of another attack a few months ago and that time their top people had not set strong passwords.