Yesterday we were made aware of a vulnerability with our email posting system that would allow someone to brute force someone’s Twitpic email PIN by trying every combination until one worked. A fix has been put in place to prevent this from happening.
I want to stress that no account information was compromised, the vulnerability only allowed someone to post a photo to Twitpic/Twitter on someone’s behalf, but did not allow access to their account in any way. Once we were made aware of the issue we immediately began work on a fix and also shut down email system to prevent any unauthorized postings. Also any account that was affected by this was remedied. Less than 10 users were affected by the attacks.
I want to make it clear that this was NOT a Twitter issue, but a Twitpic issue, and I take full responsibility for it. Once I contacted Twitter about the issue on our end, they worked with us to help remedy any unauthorized postings and they were extremely helpful. Kudos to the Twitter team.
We have already begun working with the ISP’s where the attacks originated from to find out who they were initiated by and to investigate what action should be taken. The ISP’s have been helpful and have already given us information about the accounts where the attacks originated from – (@noaheverett has already broke out the ninja suit…on snap).
I want to apologize to anyone this has affected and I want you to know that we take security seriously. Thank you very much for being Twitpic users and allowing us to be part of your photo sharing experience.