Security 2.0 – Fairy tales and the art of deception
Yesterday, I wrote a post about TwitPic and Twitter.
According to the blog of TwitPic, we can read this:
Yesterday we were made aware of a vulnerability with our email posting system that would allow someone to brute force someone’s Twitpic email PIN by trying every combination until one worked. A fix has been put in place to prevent this from happening.[...]
I want to make it clear that this was NOT a Twitter issue, but a Twitpic issue, and I take full responsibility for it. Once I contacted Twitter about the issue on our end, they worked with us to help remedy any unauthorized postings and they were extremely helpful. Kudos to the Twitter team.[...]
I want to apologize to anyone this has affected and I want you to know that we take security seriously.
The thing is: They still use a 4 DIGITS PIN code. So it means, both Twitter and TwitPic worked on this vulnerability to fix it and both of them are NOT shocked by the 10^4 possibilities of the 4 DIGITS PIN code. It’s getting funnier and funnier.
IMHO, if I should make a comparaison: it is like when a very big vendor fix an integer overflow but forget that the type of the integer is signed.
.. Shame.
Matthieu,
It’s what we called the problem of the startup, and of the guys who has not been in security fields for a long time :)
I’ve seen a lot of guys doing the same thing and don’t want to take the good practices.
It’s seems that Humans don’t learn ….
No one really cares about security anyway … Hackers don’t exist right? ;)