Latest Britney Spears Twitter Hack Highlights TwitPic Weakness (Britney Spears isn’t dead)

She may very well be the name associated with more spam, virus and hack attacks than anyone else in history. Yes, step aside Paris, Angelina and Bill, my guess is that the name that hackers choose to exploit for their own ends more than any other is Britney Spears.

In a tasteless stunt that was seen by her two million followers earlier today, a hacker managed to post the following message to Britney Spears’s Twitter stream earlier today:

Britney has passed today. It is a sad day for everyone. More news to come.

Interestingly, the fake story of Britney’s death was posted to her Twitter followers via the TwitPic service, which automatically forwards messages to the associated Twitter account. There are a number of ways in which you can post a message on TwitPic – which is then echoed on Twitter – including logging on to the service or sending a picture to a unique email address.

It’s possible that that last method of updating TwitPic may be the prime suspect in this case, as
the service just tweeted that they have fixed a vulnerability with their email posting functionality. There certainly has been a concern in the past that TwitPic relies upon a four digit PIN that could be cracked through brute force.

That would mean that I could post a message (and TwitPic link) on Britney’s Twitter page if I could crack her four digit PIN and use it to email britneyspears.XXXX@twitpic.com (where XXXX are the four digits). That certainly doesn’t seem like very good security.

The picture on Britney Spears’s TwitPic account and the fake post to Twitter have since been deleted, but followers of the popstar have been reassured that she has not died by the following update on the micro-blogging service:

The Twitter accounts of fellow celebrities Ellen DeGeneres and Diddy (also known as P Diddy or Puff Daddy or even Sean Combs – can’t he make his mind up? Does he keep changing his name in an attempt to avoid income tax?) are also said to have published similar messages about their owner’s demise.

I guess that the millions of people who follow these celebrities on Twitter have to be grateful that all that they saw was a sick prank by hackers, rather than put in danger by being exposed to a malicious link to a website containing malware or a phishing page.

Curiously, Lindsay Lohan claimed last week to have also been on the receiving end of a hacker after someone posted a controversial picture on her TwitPic account (which was retweeted widely on Twitter).

by Graham Cluley, Sophos

Related posts:

1. ‘More followers’ spam hits Twitter accounts
2. Twitter compromised, DNS hijacking to blame
3. All Twitter Users Have 0 followers and 0 following !
4. Twitter Has Been Taken Offline by an Ongoing Denial Of Service Attack.
5. Twitter fights back against spam, phishing, and other malicious links