After a lewd photo was sent from Representative Anthony Weiner's Twitter account on Friday, Weiner tweeted that his account had been "#Hacked."
On Sunday, his spokesperson Dave Arnold reiterated the point, saying Weiner's Twitter had been "obviously hacked."
So was it? It's hard to know for sure. Ideological enemies of the Democrat have jumped at the chance to cast aspersions at pretty much anything Weiner's said about the incident, and as it turns out, there is a security hole in the image-and-video-hosting service Yfrog that could have allowed someone to send out a picture from Weiner's Twitter account simply by emailing it to his Yfrog email address.
That may be the most likely explanation. Yet even so, all this talk of "hacking" raises a question with fairly serious implications, and not just for the congressman. How vulnerable is Twitter to being hacked?
Several cyber-security researchers (a fancy term for hackers who work for the good guys) weighed in on this question today, and much of what they said was summed up by this two-word response from Robert Graham, the CEO of the cyber-security firm Errata Security: "Pretty vulnerable."
In a blog post on Errata's website, Graham listed five possible ways that Weiner's Twitter could have been hacked. He said a hacker (or just as likely, a prankster or anti-Weiner activist with just enough computer knowledge to get the job done) could have stolen Weiner's password, broken into his Twitter account, hijacked his Wi-Fi connection, snuck into his computer, or infiltrated Twitter's servers. Except for the last one, he said, these techniques are so easy that "people in junior high school" are capable of employing them.
Stealing a password -- the most common hack, he said -- can be as simple as calling someone at the office and pretending to be the IT guy from downstairs. ("Now I'm just going to need your password and your log-in and then you'll be all set…")
When hackers steal a password, though, they usually change it so that they can block whomever they're trying to impersonate from regaining control over the account. There's no indication that Weiner's password was changed, or that he ever lost access to his account. Just minutes after the offending tweet went out, he sent out a flurry of tweets about a hockey game, and within an hour and a half he was already joking, via Twitter, about the incident that would soon become known as Weinergate: "Is my blender gonna attack me next?".
Another possibility is that someone hijacked Weiner's wireless connection.
"A lot of social media applications were insecurely designed," said Joshua Corman, a researcher for the 451 Group. "They send the username and password across a wireless in naked, plain, clear text, and that means anyone who's on your wireless connection at a Starbucks or an airport can grab your name and password out of the air and know it forever."
As long as your password is encrypted when you send it out, you should be safe from these kinds of attacks. Yet as Corman noted, social media sites aren't generally very good about encrypting their users' information. Twitter does offer encryption, but not as the default option. If you want to protect your information you have to check a special box, and most people don't know to do that, Corman said.
Chester Wisniewski, an expert with the cyber-security company Sophos, pointed out that it isn't just Twitter that's vulnerable to these kinds of hacks. In fact, when it comes to social media security issues, Facebook gets most of the attention.
"Twitter is equally vulnerable as Facebook, but there are less people using it so there are less people targeting it," he said.
A common ploy, he said, involves something called rogue applications. Say a box pops up on your screen offering some kind of Twitter-enhancement service –- maybe it purports to allow you to send pictures from Twitter, or to tell you how many minutes you've spent on Twitter that month.
"It says, 'In order to tell you how many minutes you spent I need permission to post to your wall,'" he said. "You keep clicking 'yes' until the darn thing's installed. Nine times out of ten, those sites are actually fake sites that are harvesting usernames and passwords."
To avoid being taken in by these imposters, Wisniewski said, it's important to keep an eye out for "the little warning signs that the nerds in our lives have built into all these tools."
"If something is simply going to tell me how many minutes I spent on Twitter," he said, "does it really need to post to my wall?"
Corman elaborated on this point. "People should have a healthy level of skepticism with any pop-up from any source," he said. "And they should often ask themselves, 'What's the risk compared to the reward?' Do you really care how many minutes you spent on Twitter that month?"