Earlier this afternoon, Twitter announced that a security issue that caused passwords to be logged in plaintext had been discovered and patched.
In a vague, hard-to-find tweet and blog post, the company stated, “Due to a bug, passwords were written to an internal log before completing the hashing process,” and recommended that users change their passwords. Nonfree News reached out to Twitter CEO Jack Dorsey for clarification, and received the following response:
“Twitter? Haha I’ve been so busy running Square that I haven’t checked on them in months. Whoopsie! I’ll get back to you on that.”
30 minutes later, he elaborated:
“Yeah so the ‘private log’ referred to a Twitter bot that one of our devs created. It tweeted the username and password of every attempted login, but the account was protected and it only had a few hundred followers, all from Russia, so it doesn’t seem like a big deal. The developer was fired and we’ve instituted a strict NO PASSWORD BOTS policy for the next month, so it doesn’t seem like a big deal.”
Nonfree News has not located this bot user as of the time of publication, but expects more to be found later this week.
A few days ago, popular open-source code site GitHub experienced a similar issue. Nonfree News notes that this bug would never have existed if GitHub released their own source code on GitHub. Regrettably, GitHub CEO Mark “I’ll have my team follow up with you” Zuckerberg provided no comment.
Both Twitter and GitHub use a secure hashing algorithm, called bcrypt, to store passwords. Due to the similarity and timing of these issues, Russia’s Ministry of Defense has launched an investigation into the two company’s business practices and for any potential foul play.
According to a statement made today, King of Russia, Vlad the Impaler, has already made sixteen arrests and subsequent secret court trials of suspected followers of the password-tweeting bot made by the now-fired Twitter developer.
While both issues look to be contained, Nonfree News would like to remind our readers to regularly change their passwords as a safety precaution.