Twittor – Launched & Hacked in 2 Hours (Password was: 123123123…)
Update: Site was taken down until the issues are fixed and now displaying this on the homepage:
The Main Story:
A new and seemingly nice service was launched today and published on Reddit, this service is called Twittor – basically an onion based twitter, this was the launch post on Reddit:
We registered to have a look around this service and moved on without giving it too much attention, although the idea is nice and we planned to follow up on it at later.
2 hours later we found this post on the same thread replying to this post: “sounds interesting but what makes this any better than the hub?”, it was from those kind of posts we became so familiar with lately pointing out security issues, and even worse, posting the plaintext password of the main site account (although its not a backend admin account, the fact he could get ANY password is bad enough):
Nothing. its much worse. its basically the hub with twittor trying to profit by selling verification for vendors in the future.
their security is awful
this is why you don’t reuse passwords
We went out to verify this info and what do you know… we were logged in a minute under the main account of this site:
From our previous login to the site using out test account, we were able to confirm that this is indeed the main account of this site.
Sure, no harm was done (yet) in this case but surely it might be a good idea for the admin to fix these issues before introducing it to the public – especially when its meant to serve vendors and marketplace owners as a way to communicate and keep their users updated with the latest news.
Read the full discussion on Reddit, here: http://www.reddit.com/r/DarkNetMarkets/comments/1yn3ui/introducing_twittor/