Ashton Kutcher's Twitter account hacked
The Twitter account of US actor and prominent Twitter user Ashton Kutcher has apparently been broken into. Unknown parties seem to have exploited the lack of encryption to send the message "Ashton, you've been Punk'd" to his more than 6 million followers.
Indications of the lack of SSL in the tweets suggest that the account was captured with a tool such as Firesheep. Unlike its competitor Facebook, Twitter currently does not offer an option of encryption over an HTTPS site. As a result, the login password is sent with encryption to an HTTPS address, but users are then sent to an unencrypted web site using 302 Redirection.
As a result, someone in the same network as Kutcher, for instance, could have sniffed and abused his session data to use his account as they saw fit. With tools like Firesheep, the attack is child's play.
While Facebook has reacted by introducing an option in the account settings to make all communication run with encryption over HTTPS servers, the option only provides protection if you use Facebook in a web browser. Facebook apps, like the iPhone app, ignore this option completely and still communicate with the Facebook server without encryption. And if you switch over to a popular Facebook game within your browser, Facebook switches encryption off again without even telling you.