Twitter - email headers

Twitter – email headers

This evening I managed to end up getting my personal twitter account hijacked and malicious users were able to send out direct messages before I got at least some element of control back.

First off, I want to apologise to anyone who got a strange DM from me, telling them to click on a suspicious looking link. I’ve tried to delete them all now and I hope no one clicked on any links.

Although, I cant fully confirm this yet, the attack appears to have been the result of following a link to reset my twitter password. The email came from a very legitimate looking email account and the headers (see image) appear to be from twitter. However, when I did follow the link, and reset my password, I was immediately booted into a sort of limbo where I could neither log in or out of my account. Eventually I got control back by opening a new browser session and forcing yet another password reset. In the three minutes while I couldn’t get access, several direct messages were sent out to people trying to get them to click on a suspicious looking link.

Twitter password reset email – background

At 2313 (all times UK BST) an email landed in my inbox saying it was from twitter and reporting that they had reset my password:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

Now, at this point, I hadn’t used my twitter account since 14 October and I certainly hadn’t added any new services or visited any websites trying which needed a twitter login. This meant I was a bit suspicious about the email so I checked the headers. Everything here checked out – and it still does which is why I am a bit dubious about this being the attack vector – so, at 2320hrs I clicked on the link.

From here, I was taken to a legitimate looking twitter password reset page. I created a new password and things went a bit strange. When I put the new password in, I was redirected to a log in page again, which seemed a bit more unusual but I had no warnings about HTTPS errors or the like, so I tried to log in with the new password.

When I clicked to submit the password, I was immediately bounced back to the login page and this happened a couple of times. After the fourth attempt, I tried to click on the forgotten password link, but I just got a message saying I needed to log out again first – with no mechanism to log out.

At this point I realised something was up and that my twitter account was probably genuinely compromised now. Yes, I can be a bit slow on the update.

Twitter account recovery

When the penny finally dropped I started trying to recover my account. First I went to a new browser session, which was clear of any twitter cookies or saved data and requested a password reset. I got the password reset email at 2329, leaving a gap of 9 minutes between when I thought I had reset my password and when I got control of it again.

Twitter - Legitimate message headers

Twitter – Legitimate message headers

Being a bit paranoid now, I double checked the reset details but with some extra confidence as I had genuinely requested it this time. A copy of the message source is shown in the image here.

Worryingly it was pretty much identical to the previous one. As I didn’t have much to lose, I clicked on the link and reset my password.

This time, it went very differently and I was given proper access as you would expect. Once I had got in (2330hrs), I checked my direct messages and it seems that between 2320 and 2329hrs, my account had been sending out direct messages to my followers asking them to click on a link. Fortunately not that many had been sent (about 3 a minute) which may have been an attempt to avoid detection.

Analysis

Without access to twitter’s logs or the like, I cant ever really be sure what happened, but there are clues available.

First off – the malicious direct messages were only sent in the period of time between my click on the first email and the password reset request. This means that the first email has to be treated with some increased suspicion, for the following reasons:

  1. It was unsolicited.
  2. It was unspecific.
  3. It mentioned my twitter user name but not my “name” (which the later, legitimate email did)
  4. It created the sense of panic about my account being compromised.

Despite this, the email has been digitally signed using twitter’s RSA key and the URL it referenced looks to all intent and purposes to be a legitimate twitter link for password resets.

The only difference I can find between the original message and the second (presumed legitimate) one is in the tracking string attached to it. On the first email, the link has the following appended to it:

?utm_campaign=twitter20080313004041&utm_medium= email&utm_source=resetpwnotice

On the second one, the tracking link reads:

?utm_campaign= resetpw20100823&utm_content=action&utm_medium= email&utm_source=resetpw

However, it is hard to see how this can be converted into an attack vector, so it is probably nothing more than an artefact in the way twitter tracking works.

If the email hadn’t been compromised in some way, the next alternative is that some form of attack is being mounted when the password is being reset. During this time, as far as my browser was showing, I was connected over HTTPS and no alerts were shown.

Unfortunately it is unlikely I will ever get to the bottom of this, and it may have been a problem with a connected service or even a website and all the emails were legitimate – it was just a timing error that meant the attack took place in the gap.

If you have ever been in this situation, I would love to hear about it. Hopefully it can add some more knowledge and help solve the puzzle.

The main lesson here is to be on guard for any suspicious activity with social networking accounts. Even if you get a legitimate email, take time to double check what is happening and if things go wrong, act quickly to regain control.