Ashton Kutchers Twitter Account Punkd With SSL Taunt

  /     /     /  
Publicated : 22/11/2024   Category : security


Ashton Kutchers Twitter Account Punkd With SSL Taunt


Dude, wheres my SSL?



Actor Ashton Kutchers more than 6.4 million Twitter followers yesterday got a firsthand look at what can happen when your Twitter account gets hijacked -- and by a security activist who wanted to make a point:
Ashton, youve been Punkd. This account is not secure. Dude, wheres my SSL?
Kutcher, who is among the glitterati this week attending the TED (Technology Entertainment and Design) Conference in Long Beach, Calif. -- which includes big-name speakers such as Bill Gates; Bill Ford, CEO of Ford Motor Co.; and, from the security industry, security consultant Ralph Langner, best-known for his analysis of Stuxnet -- appears to have fallen victim to a cookie-jacking incident.
A second tweet posted on the hijacked account said: P.S. This is for those young protesters around the world who deserve not to have their Facebook & Twitter accounts hacked like this. #SSL
The culprit didnt reveal his method of capturing Kutchers account credentials and cookies, but security experts say it was most likely via an unsecured WiFi session. Some experts were speculating that the attacker could have used the
Firesheep tool
, a free plug-in for Firefox that makes it possible for anyone to easily hijack a WiFi users unencrypted Twitter, Facebook, or other unsecured account session. Firesheep basically gives the user a name and photo of the unsecured accounts on the WiFi network, the attacker double-clicks on the victim, and then is logged in as that user.
There are lots of ways to capture credentials, says Dave Marcus, director of McAfee Labs security research communications. [This attacker] captured the cookie ... and did what he wanted to do with it. Its about capturing the cookies and replaying them.
As of this posting, Kutchers hijacked account still displayed the attackers tweets.
The underlying problem, of course, is that most websites are not SSL-secured. Twitters SSL site is an option and not the default version. Aside from using a VPN connection or a proxy -- neither of which is practical for many consumers -- theres the Firefox add-on called Force-TLS, which automatically directs you to the SSL version of a site if one exists.
Meanwhile, Twitters global PR Twitter account posted this tweet yesterday: Users can use Twitter via HTTPS: twitter.com. Weve long been working on offering HTTPS as a user setting & will share more soon.
As for the
Kutcher account hijacking
, Marcus says it could happen to anyone. Anyones cookies can be captured, he says. Id be interested if the person who did it was purposely trying to capture his credentials or just anyones and got his by chance, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ashton Kutchers Twitter Account Punkd With SSL Taunt