Security 2.0 – Fairy tales and the art of deception

Yesterday, I wrote a post about TwitPic and Twitter.

According to the blog of TwitPic, we can read this:

Yesterday we were made aware of a vulnerability with our email posting system that would allow someone to brute force someone’s Twitpic email PIN by trying every combination until one worked. A fix has been put in place to prevent this from happening.[...]
I want to make it clear that this was NOT a Twitter issue, but a Twitpic issue, and I take full responsibility for it. Once I contacted Twitter about the issue on our end, they worked with us to help remedy any unauthorized postings and they were extremely helpful. Kudos to the Twitter team.[...]
I want to apologize to anyone this has affected and I want you to know that we take security seriously.

The thing is: They still use a 4 DIGITS PIN code. So it means, both Twitter and TwitPic worked on this vulnerability to fix it and both of them are NOT shocked by the 10^4 possibilities of the 4 DIGITS PIN code. It’s getting funnier and funnier.

IMHO, if I should make a comparaison: it is like when a very big vendor fix an integer overflow but forget that the type of the integer is signed.

.. Shame.

2 thoughts on “Security 2.0 – Fairy tales and the art of deception

  1. Matthieu,

    It’s what we called the problem of the startup, and of the guys who has not been in security fields for a long time :)

    I’ve seen a lot of guys doing the same thing and don’t want to take the good practices.

    It’s seems that Humans don’t learn ….

Comments are closed.