Anime Right News (ARN) — Twitter announced to its users this morning that they fixed a bug which caused all passwords to be logged in plaintext every time a user logged in. And we might have believed them that it was “just a bug” if Twitter’s backend wasn’t run by a crew of transexual software engineers with chips on their shoulders, actively working with organizations to gather data on you and build enemy lists. But you really shouldn’t be worried unless you have something to hide from any one of the countless psychotic organizations that now have your data and your passwords.
It's Just a Bug, Bro
Twitter went into some details about the bug in their full public response:
Most log files are kept for years by major companies to be reviewed later if something comes up. Or in this case, to help the ADL build a better online profile on you.There's a lot of reasons why this is bullshit, the most obvious being that logging isn't a bug at all: it's for record keeping.
Another reason is that no serious organization actually stores your passwords at all because it makes no sense to do so - if hashing and salting is done properly, even if somebody hacked Twitter they couldn't get your password at all because Twitter wouldn't even have it. Going through the extra effort of logging a password into a file in plaintext before you even hash & salt completely negates this advantage.
But the most telling reason that this is bullshit is that bcrypt, being a library, does all the encryption for you - this isn't hundreds of lines of code to debug with fucked up vector math that only five mathematicians in the US can understand, we're talking about a single fucking line of code that probably looked like this:
That means somewhere above that one line of password encryption/comparison is several more lines that open a log file, attempt to write, and then close the log file. Why even go through the extra effort? Unless of course you were doing all this on purpose. Then it makes complete sense.
The Disclosure Says a Lot.
This wasn't a mistake: Twitter was deliberately logging your information. Now the question is why they felt the need to tell us, and why they felt the need to lie to us while doing so.
This leads us to some disturbing conclusions:
Twitter was going through extra effort to avoid best practices in order to collect information on you. They felt the need to disclose it because it was discovered by potential whistle blower or, and lets hope this isn't the case, they suspect a breach but couldn't say so because the subsequent investigation would say exactly what I'm telling you right now: this was no accident, and your data was changing hands with some very creepy organizations.
So Twitter had a choice: get in front of this and call it a bug or risk a whistle blower or a hacker dumping the story on a major news network. And I wouldn't be surprised if we soon hear about similar "bug" fixes from other major Silicon Valley players who have signed deals with the devil after C-Ville.