Now that we have more information about what happened on Twitter, and how the company dealt with things, what are the major lessons software development and security practitioners can take away?
For further actions, you may consider blocking this person and/or reporting abuse
Latest comments (28)
The simple answer is better test; however, I've never once met a Security only Test Expert. Maybe they are out there, but who knows where?
Its frightening for sure.
What is more scary is a social media post can be legally binding. It would be very hard to defend against if this was not targeted high profile people as an organized attack, but instead targeted individual people in disorganized individual attacks.
I can't think of what could happen if this was used to blackmail, or worse to calumniate people. It is then quite possible to send someone to jail, or shut their voice down.
We learned that Least Privilege Principle is not followed on Twitter.
Why on earth would ANY Twitter employee need to publish a tweet as someone else? I mean, ever?
Having some employees with authority to delete a tweet? Fine.
But publish a tweet as someone else? Why would they give employees such enourmous power in the first place.
This is only going to foster people's suspicions of ideological/politically motivated shadow behavior by Twitter employees. And now I'm thinking, they might be right about it.
Correct me if I'm wrong but from what I read on their tweeds there were no asswords captured. May this rather be a problem with role-based access control? Would not be the first time that systems allow third party to act in behalf of someone with lifted privileges.
Also - shouldn't be only the owner being capable to change posts? If there is a role, besides the owner, that can change posts, there would be the possibility to plant false evidence and that be a juridical desaster.
What is really amazing to me is there is some still some number of stupid people in the world that would fall for this.
You would think if you could figure out how to purchase bitcoin that would qualify you into a slightly less stupid group.
It does not.
I think the target group is well picked. Bitcoin investors are already among the highest risk takers. Especially after the HODL hype a few years ago, a good number of people looking for an easy way to get rich should have gathered together in Bitcoin network. Not much different from scams like fake cloud farms or pyramid schemes.
As of this point (1.5 to 2 days after the incident), Twitter has stated it does not yet know exactly how attackers accessed it's internal customer support admin tool. That makes sense, as these things take time to verify. They are being remarkably candid about their ongoing investigation in the Twitter Support thread that Ben has linked to in this post. I hope this sets a standard of communication for other companies, although I am not hopeful.
Joseph Cox at Vice published an article during the incident with sources inside the hacking group claiming they paid an internal customer support admin for either their credentials to the admin interface or paid them directly to modify account settings via the interface.
There was another recent article from a different journalist revealing information about one of the hackers that seems to verify this reporting that I'm not going to link to. As an aside, Joseph Cox is an excellent reporter to follow for information security journalism.
So, we have an internal customer management tool that can change an account's settings, such as change the registered email address and disable 2FA. These seem like typical customer support actions, presumably not available to tier 1 support but can be escalated to someone with the authorization to perform these actions after verifying a user. Hackers paid off one of these authorized customer support admins for access to this tool and used it to change the primary email address of accounts to one under their control. They additionally either disabled 2FA or set the registered phone number to one under their control as well. They then triggered a password reset, received that email to their email address, and proceeded from there to take over the account. They appeared to script this whole process to quickly capture a number of accounts.
Questions I want to leave you with:
How do you protect against someone using an internal tool in the way it was designed? Someone who has access to the tool as part of their regular responsibilities?
You can require 2+ people to sign off on account activities like this. So instead of buying 1 person, you'd need to buy 2 who could then modify settings. I'm sure Twitter's security teams will be implementing interesting new monitoring checks around these internal tools as well, which brings me to my next point.
How well architected is your monitoring and logging in your application? Are you capable of detecting anomalous behavior patterns? Are you only checking for increased error rates? Monitoring and logging are such an important aspect of information security they've made it into the OWASP Top Ten in 2017. It is hard to be effective preventing a lot of insider threat scenarios and still be a functioning organization. A company needs to be able to detect and respond to incidents quickly, which is where logging and monitoring come into play. If you are throwing everything into Splunk but then don't have any automatic alerts actioning on the logs, you're not helping anyone.
Finally, let's cool it with the diatribes against Twitter's security teams. Even in situations like Equifax's breach, it is very rare for the security team to be behind any mistakes. I have yet to encounter a security group that is ambivalent toward protecting their users (Facebook, for example, has one of the best security teams in the world). It is usually the business who prevents the security team from implementing the controls they want due to real or perceived friction for business operations. If you want to be frustrated at Twitter, go ahead. But I will be highly surprised if future articles about this incident reveal that Twitter's security team had any part in this story.
Edit: and this is why I didn't link to the other article.
I feel like Twitter should've always audited verified accounts incredibly thoroughly since it seems so easy to just pop in and do whatever you want.
Major lessons:
Observation 2 follows from observation 1.
support people will need to be able to recover accounts, but not without owner's consent, and that consent should be in form of answer to question only owner might know, not what was your pet's name or something, ask things like, when was the last time you changed your password, which phone do you use? etc, if support can't answer these then they shouldn't get access, and how will support answer this? only if they're talking to real owner.
This is what the banks do.
Most of the 'something only you know' can be worked out from content Twitter already:
I don't know if you actually read my full reply or not, I said not like that, that can be public knowledge,
but questions like:
which phone do you use to make most of the tweets? (system knows this, and this isn't public knowledge)
Which 2FA auth have you setup? (same, user doesn't set this as an answer, but things like did you use sms? which phone number did you use? etc)
When you got your account verified, which identity did you use? did you use passport? or citizenship?
Which email did you use to create this account?
Tell me the phone number you've used on this account for 2FA,
please tell me which of these questions you can work out? and if any of these aren't actually relevant for those people?
Pet name can be worked out, and not everyone has a pet, but you can't find elon's phone number on random site, and again, I'm saying, ask 5 of these questions, only when they all 5 correctly, only then the customer support person can do anything to the account.
Please read the reply correctly first :) (not being toxic, just thought you didn't read it before jumping into attack mode)
There's a few to take away that I can see:
If users can do bad things, users will do bad things.
It's only a matter of time before someone does something they weren't supposed to, or which goes against the principles of the organisation (see theguardian.com/politics/2020/may/...)
People are often the weakest point in security.
If this was a social engineering or bribery for access attack, then there's only so much you can do from a technical point. If the attackers had someone on the inside, that's not much more different from the Cold War double-agent type intelligence officers.
People are greedy
It doesn't matter if they are complicit in the attack, or victims. If someone was bribed to help with the attack, they are greedy. If someone actually believed that they would double their money because some prominent figure "said they would", they are greedy. It's a very easy attack vector.
Smaller organisations are screwed when it comes to security
If the big players can't get it right, either through lax measures or not caring, then smaller organisations are always going to struggle with security. They can't afford to pay the salaries the big players can for the top talent