Is it finally safe to get back on Twitter?
Twitter has been working on a new security measure to crack down on hacking, according to Wired’s Mat Honan. The solution, which includes a two-step authorization process similar to the verification measures released by Google last August, is currently undergoing internal testing, and the company plans to release the measures to users gradually in the near future. For now, its support page puts the onus for handling hacks on the user, advising merely that you change a compromised password and revoke connections to third-party applications.
Honan’s report came hours after a rogue tweet sent Tuesday from the compromised Twitter feed of the Associated Press reported an explosion at the White House, causing the Dow to drop 140 points and the S&P 500 to erase about $136 billion in just a few minutes. (Both quickly recovered.)
Twitter has been working on this security upgrade for a while. After at least 250,000 account passwords were compromised in an attack in early February, Twitter posted a job listing for a software engineer to “design and develop user-facing security features, such as multifactor authentication and fraudulent login detection.” In a statement following the attack, the company implicitly recognized that Twitter hacks are increasingly common. “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” the company said. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. ”
Why did it take a 250,000 password theft and a 140-point dip in the stock market to get Twitter to take two-factor security seriously? Brands such as Jeep and Burger King had their accounts hacked in February, and virtually every major media account, from Reuters to the BBC, has endured some sort of disruption by hackers—often the Syrian Electronic Army, whose pro-regime activist collective has claimed responsibility for the AP hack.
And Twitter has suffered from frequent disruptions in the past, including a servicewide attack during the rollout of Twitter’s 2010 redesign by a hacker who calls himself Masato Kinugawa and claimed the company wouldn’t respond to his message about a flaw in its “cross-site scripting.”
“Twitter had not fixed this critical issue long after it had been notified,” Kinugawa tweeted after the incident. “Twitter left this vulnerability exposed, and its recognition of this problem was low. Rather than have someone maliciously abuse this under the radar, I decided it would be better to urgently expose this as a serious problem and have it be addressed.”
Google has had two-step authorization since February 2011, and Apple rolled out the feature in March. Good products take time and care to develop. But with more than 200 million active users and 400 million tweets per day, how big of a crisis does Twitter need to get a security update out the door?
Twitter has not responded to requests for comment.