12:34 PM
Connect Directly

Ashton Kutcher's Twitter Account 'Punk'd' With SSL Taunt

'Dude, where's my SSL?'

Actor Ashton Kutcher's more than 6.4 million Twitter followers yesterday got a firsthand look at what can happen when your Twitter account gets hijacked -- and by a security activist who wanted to make a point:

"Ashton, you've been Punk'd. This account is not secure. Dude, where's my SSL?"

Kutcher, who is among the glitterati this week attending the TED (Technology Entertainment and Design) Conference in Long Beach, Calif. -- which includes big-name speakers such as Bill Gates; Bill Ford, CEO of Ford Motor Co.; and, from the security industry, security consultant Ralph Langner, best-known for his analysis of Stuxnet -- appears to have fallen victim to a cookie-jacking incident.

A second tweet posted on the hijacked account said: "P.S. This is for those young protesters around the world who deserve not to have their Facebook & Twitter accounts hacked like this. #SSL"

The culprit didn't reveal his method of capturing Kutcher's account credentials and cookies, but security experts say it was most likely via an unsecured WiFi session. Some experts were speculating that the attacker could have used the Firesheep tool, a free plug-in for Firefox that makes it possible for anyone to easily hijack a WiFi user's unencrypted Twitter, Facebook, or other unsecured account session. Firesheep basically gives the user a name and photo of the unsecured accounts on the WiFi network, the attacker double-clicks on the victim, and then is logged in as that user.

"There are lots of ways to capture credentials," says Dave Marcus, director of McAfee Labs security research communications. "[This attacker] captured the cookie ... and did what he wanted to do with it. It's about capturing the cookies and replaying them."

As of this posting, Kutcher's hijacked account still displayed the attacker's tweets.

The underlying problem, of course, is that most websites are not SSL-secured. Twitter's SSL site is an option and not the default version. Aside from using a VPN connection or a proxy -- neither of which is practical for many consumers -- there's the Firefox add-on called Force-TLS, which automatically directs you to the SSL version of a site if one exists.

Meanwhile, Twitter's global PR Twitter account posted this tweet yesterday: "Users can use Twitter via HTTPS: We've long been working on offering HTTPS as a user setting & will share more soon."

As for the Kutcher account hijacking, Marcus says it could happen to anyone. "Anyone's cookies can be captured," he says. "I'd be interested if the person who did it was purposely trying to capture his credentials or just anyone's" and got his by chance, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.