Security 2.0 – Fairy tales and the art of deception

Posted by Matthieu Suiche on June 30, 2009 · 2 Comments

Yesterday, I wrote a post about TwitPic and Twitter.

According to the blog of TwitPic, we can read this:

Yesterday we were made aware of a vulnerability with our email posting system that would allow someone to brute force someone’s Twitpic email PIN by trying every combination until one worked. A fix has been put in place to prevent this from happening.[...] I want to make it clear that this was NOT a Twitter issue, but a Twitpic issue, and I take full responsibility for it. Once I contacted Twitter about the issue on our end, they worked with us to help remedy any unauthorized postings and they were extremely helpful. Kudos to the Twitter team.[...] I want to apologize to anyone this has affected and I want you to know that we take security seriously.

The thing is: They still use a 4 DIGITS PIN code. So it means, both Twitter and TwitPic worked on this vulnerability to fix it and both of them are NOT shocked by the 10^4 possibilities of the 4 DIGITS PIN code. It’s getting funnier and funnier.

IMHO, if I should make a comparaison: it is like when a very big vendor fix an integer overflow but forget that the type of the integer is signed.

.. Shame.

Filed under Windows · Tagged with

M	T	W	T	F	S	S
« Apr				Aug »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Matthieu Suiche's blog

Security 2.0 – Fairy tales and the art of deception

Keep connected

Recent Posts

Categories

Archives

Blogroll

Calendar

Search

Pages