Actor Ashton Kutcher's more than 6.4 million Twitter followers yesterday got a firsthand look at what can happen when your Twitter account gets hijacked -- and by a security activist who wanted to make a point:

"Ashton, you've been Punk'd. This account is not secure. Dude, where's my SSL?"

Kutcher, who is among the glitterati this week attending the TED (Technology Entertainment and Design) Conference in Long Beach, Calif. -- which includes big-name speakers such as Bill Gates; Bill Ford, CEO of Ford Motor Co.; and, from the security industry, security consultant Ralph Langner, best-known for his analysis of Stuxnet -- appears to have fallen victim to a cookie-jacking incident.

A second tweet posted on the hijacked account said: "P.S. This is for those young protesters around the world who deserve not to have their Facebook & Twitter accounts hacked like this. #SSL"

The culprit didn't reveal his method of capturing Kutcher's account credentials and cookies, but security experts say it was most likely via an unsecured WiFi session. Some experts were speculating that the attacker could have used the Firesheep tool, a free plug-in for Firefox that makes it possible for anyone to easily hijack a WiFi user's unencrypted Twitter, Facebook, or other unsecured account session. Firesheep basically gives the user a name and photo of the unsecured accounts on the WiFi network, the attacker double-clicks on the victim, and then is logged in as that user.

"There are lots of ways to capture credentials," says Dave Marcus, director of McAfee Labs security research communications. "[This attacker] captured the cookie ... and did what he wanted to do with it. It's about capturing the cookies and replaying them."

As of this posting, Kutcher's hijacked account still displayed the attacker's tweets.

The underlying problem, of course, is that most websites are not SSL-secured. Twitter's SSL site is an option and not the default version. Aside from using a VPN connection or a proxy -- neither of which is practical for many consumers -- there's the Firefox add-on called Force-TLS, which automatically directs you to the SSL version of a site if one exists.

Meanwhile, Twitter's global PR Twitter account posted this tweet yesterday: "Users can use Twitter via HTTPS: twitter.com. We've long been working on offering HTTPS as a user setting & will share more soon."

As for the Kutcher account hijacking, Marcus says it could happen to anyone. "Anyone's cookies can be captured," he says. "I'd be interested if the person who did it was purposely trying to capture his credentials or just anyone's" and got his by chance, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.