The chief executive of a company which demonstrated a security flaw in Twitter by hijacking the accounts of Eamonn Holmes and Louis Theroux has denied breaking the law.

Mr Holmes and Mr Theroux were among celebrities and journalists who tweeted messages on Thursday stating their accounts had been "temporarily hijacked by Insinia Security".

Mike Godfrey, who runs Insinia Security, explained to Sky News that the accounts had been hijacked to demonstrate how Twitter allows anyone who knows your phone number to tweet from your account.

According to the company the bug allowing the hijack to happen has been known about for six years, but Insinia acted to raise awareness of it because Twitter seemed unwilling to address the issue.

Twitter has claimed it has since fixed the flaw, although Mr Godfrey disputed this when speaking to Sky News and claimed it was still working as of Friday night.

Insinia's stunt was also criticised by some members of the information security community for potentially breaching laws regarding hacking, and re-igniting a debate about the Computer Misuse Act 1990 (CMA).

Image: The accounts posted messages claiming to have been hijacked

Andrew Tierney, a security consultant at UK-based firm Pen Test Partners, said: "This new trend of ignoring the Computer Misuse Act is not cool."

Ken Munro, the founder of Pen Test Partners, agreed with Mr Tierney, stating: "It encourages some to break to law, thinking it's okay to do so, as others did publicly. Violating the Computer Misuse Act is not cool."

Asked if he was concerned about being in breach of the CMA, Mr Godfrey said: "I wouldn't say I'm concerned about it."

A photo taken in the western French city of Rennes on November 7, 2013 shows an official Twitter account on a smartphone. Twitter will make its Wall Street debut on November 7 with a price tag of 26 US dollars per share, bidding to raise up to 2.1 billion US dollars in the most eagerly awaited stock offering since Facebook. A tweet from the company said it would offer 70 million shares on the New York Stock Exchange, generating 1.82 billion US dollars, and give underwriters a 30-day option to pu
Image: Twitter says it has fixed the bug

He added that he thought the law "wasn't fit for purpose" and explained how his company's work discovering a data breach at TalkTalk came about because the company purchased the stolen data from a criminal, in partnership with a media organisation for a news report.

"We haven't hacked anything," he explained, saying that there was simply no authentication processes for the company to have breached, and stressing: "There was no criminal intent, no criminal gain, no traversal, no pivoting, nothing at all."

Insinia stressed to Sky News that it did not access data, nor did the hijack put any of the Twitter users' data at risk of being accessed, but merely allowed them to send a message from their account.

A spokesperson for Twitter told Sky News: "We've resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.

More from Science & Tech

"We'll continue to investigate any related reports to ensure our account security protocols are functioning as expected."

Cyber security businesses in the UK, including information assurance firm NCC Group, have also complained that the CMA is outdated and prevents them from conducting commercial threat intelligence analysis, unlike rivals in the US and Israel.

Original Article

[contf] [contfnew]

Sky News

[contfnewc] [contfnewc]