Sina Weibo Suffers Second Attack, Star User Yao Chen Affected

By Sunny Ye On 08/02/2011 · 3 Comments

Last night, Sina Weibo experienced it’s second large scale attack. Unlike the first attack, a link phishing operation, this attack came through a Weibo app that has since been closed. It claimed a host of high-profile users, including Yao Chen, a superstar actress and Sina Weibo’s most popular user with over 10 million followers.

This attack involved a ‘fun’ cartoon game (now blocked by Sina) in which users use their names to predict which cartoon character they are. The hacker apparently had unauthorized app keys and was likely able to steal user information from those who signed up.

The technical details of this attack are still unclear, but an open conversation between Sina Weibo’s product managers and engineers revealed that the attacker accessed the app keys that Sina Weibo’s open platform grants to app developers. These app keys were either hacked from the open platform or gained by other means, but either way the attacker successfully bypassed Sina’s attempt to strengthen its security by upgrading from BasicAuth to OAuth (Sina’s OAuth description – Chinese).

Yao Chen, a star actress and Sina Weibo's most popular user with over 10 million followers, fell victim to the attack

The scale of affected users is still unknown, but some of the most followed users on Sina Weibo fell victim to the attack including Yao Chen (@姚晨) and angel investor (Cai Wensheng) @蔡文胜. I managed to catch a screenshot of an affected Weibo post before Sina deleted it. With these celebrity users affected, one can imagine that many normal users also fell victim.

Once again Sina Weibo has shown weakness in its platform security. Both attacks are clearly aimed at gaining user account information. With the newly introduced DaRen verification, more and more users are offering their personal information like identification numbers, home addresses and work details to Sina, so safeguarding this information should be one of Sina’s top priorities.

If Sina can’t ensure security, it risks a loss of credibility and makes users unlikely to trust it for deeper activities like eCommerce and virtual currency trading.

http://twitter.com/21tigermike Michael A. Robson

*sniff sniff*

Smells like friendly fire

http://twitter.com/DonSunny46664 Sunny Ye

Possible, but still with the app keys out hackers can create apps purely for the purpose of thieving user info, considering I handed my passport scan to Sina for verification I’m getting nervous of it’s safety.

Anonymous

Honestly I am not clear about the mode of operation profit of Sina Weibo.

It was learned it’s been developing virtual currency trading platform. But with this case, it is really risky!

Submit Tips:

TechRice

Pages

The Latest

UCWeb, China's leading mobile browser, speeds into emerging markets

More