Versatile software engineer with a background in .NET consulting and CMS development. Working on regaining my embedded development skills to get more involved with IoT opportunities.
I am having trouble finding verifies facts so I think transparency is the biggest issue here. As of right now, I don't trust a darn thing Twitter says because they want to defend their image more than they want to take responsibility for their data. If staff can take over accounts and manually override content, I am very concerned. I can think of no valid reason for that and it sku ds like it was done with no oversight or auditing either. Might be deleting mine tonight.
Accountability would be nice too. Don't play the victim when you're a multi billion dollar company. Your security sucked and you need to do something about it.
I agree with you. If my account is secured with a password that (presumably) is stored and encrypted in a manner where only I know the password and I have 2fa to further protect my account but even one person could possibly perform actions with my account without possessing these, is it really secure? No, it is not.
The fact that this was even possible shows that in no way did Twitter take securing their application seriously.
Where is told that they can direct gain access to a account? I haven't seen the news recently but I think that the delete of the post is something that can be mande by the moderators.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
Additionally,
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.
Based on this, they either have internal tools that allow their employees direct access to individual accounts without the need to authenticate with the account credentials or lax security protocols in place that allow an employee to hijack an account credential reset without the owner having any knowledge (which is just as bad, if not worse).
Thanks, I haven't read that yet. This is really concerning, I don't know why a employee has permission to get control in a user account. It's good that is a social media, but if this is a enterprise website...
Agreed. I think that's the ultimate lesson learned from this attack. The weakest link in your security is always the human; do not allow the tools you create to exploit this weakness any more than is necessary.
It'll be interesting to see how this plays out for them over the next few days/weeks.
So the lesson (or one of the lessons) is that their internal tools and their internal employees had way too many and powerful permissions granted to them. Oh and (I saw this mentioned somewhere else) an internal employee doing something security/privacy sensitive should not be allowed to perform that task alone, there should always be someone else looking over their shoulder (4 eyes principle).
Twitter has been exceptionally open about it's investigation... That is in day 2. The Twitter Support thread that Ben links to has a lot of detail for the very beginning of an investigation. We know pretty much what Twitter knows at this point.
If you are surprised that Twitter's customer service team can modify account settings, I would go to your company's support team and ask what abilities they have to help their customers.
I'm a web sysop and support engineer. My skills are mainly in back-end: Java, Linux, Python, PostgreSQL, Git, and GitLab. Currently I'm learning front-end skills: JavaScript, and Ruby.
Indeed. Impersonating a user is a common troubleshooting tool used in a lot of web applications. I don't believe this attack (it wasn't a "hack", not even a "crack") was made any worse by the presence of the tools, or their wide-ranging ability.
Usually the mitigation for security risks in such a tool are:
auditing of the actions performed by the support engineer on the user's behalf (that is: logging that the actions were done by the engineer, not the account owner themselves)
2FA for the engineering accounts
background security checks
regular, updated training and refreshers against social engineering attacks
In this case, it appears that the engineer's credentials have been obtained, and that 2FA was ineffectual or not employed. The tool itself may already audit the actions, which might have helped to remove the fake posts quickly, as they would have been recorded as such.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I am having trouble finding verifies facts so I think transparency is the biggest issue here. As of right now, I don't trust a darn thing Twitter says because they want to defend their image more than they want to take responsibility for their data. If staff can take over accounts and manually override content, I am very concerned. I can think of no valid reason for that and it sku ds like it was done with no oversight or auditing either. Might be deleting mine tonight.
Accountability would be nice too. Don't play the victim when you're a multi billion dollar company. Your security sucked and you need to do something about it.
I agree with you. If my account is secured with a password that (presumably) is stored and encrypted in a manner where only I know the password and I have 2fa to further protect my account but even one person could possibly perform actions with my account without possessing these, is it really secure? No, it is not.
The fact that this was even possible shows that in no way did Twitter take securing their application seriously.
Where is told that they can direct gain access to a account? I haven't seen the news recently but I think that the delete of the post is something that can be mande by the moderators.
Twitter said this directly in their posts following up from the ongoing investigation.
twitter.com/TwitterSupport/status/...
Additionally,
Based on this, they either have internal tools that allow their employees direct access to individual accounts without the need to authenticate with the account credentials or lax security protocols in place that allow an employee to hijack an account credential reset without the owner having any knowledge (which is just as bad, if not worse).
Thanks, I haven't read that yet. This is really concerning, I don't know why a employee has permission to get control in a user account. It's good that is a social media, but if this is a enterprise website...
Agreed. I think that's the ultimate lesson learned from this attack. The weakest link in your security is always the human; do not allow the tools you create to exploit this weakness any more than is necessary.
It'll be interesting to see how this plays out for them over the next few days/weeks.
So the lesson (or one of the lessons) is that their internal tools and their internal employees had way too many and powerful permissions granted to them. Oh and (I saw this mentioned somewhere else) an internal employee doing something security/privacy sensitive should not be allowed to perform that task alone, there should always be someone else looking over their shoulder (4 eyes principle).
Twitter has been exceptionally open about it's investigation... That is in day 2. The Twitter Support thread that Ben links to has a lot of detail for the very beginning of an investigation. We know pretty much what Twitter knows at this point.
If you are surprised that Twitter's customer service team can modify account settings, I would go to your company's support team and ask what abilities they have to help their customers.
Indeed. Impersonating a user is a common troubleshooting tool used in a lot of web applications. I don't believe this attack (it wasn't a "hack", not even a "crack") was made any worse by the presence of the tools, or their wide-ranging ability.
Usually the mitigation for security risks in such a tool are:
In this case, it appears that the engineer's credentials have been obtained, and that 2FA was ineffectual or not employed. The tool itself may already audit the actions, which might have helped to remove the fake posts quickly, as they would have been recorded as such.