Hackers Convinced Twitter Employee to Help Them Hijack Accounts
Joseph Cox (also: Jack Dorsey, Twitter Support, Jason Koebler, SwiftOnSecurity):
A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.
On Wednesday, a spike of high profile accounts including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama, Uber, and Apple tweeted cryptocurrency scams in an apparent hack.
[…]
The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.
One notable exception in the attack was the account of President Donald Trump. The New York Times is now reporting that Trumps’s account has special protections in place following past incidents — including when a third-party Twitter contractor used internal company tools to deactivate the president’s account in 2017. Those protections may have spared Trump’s account from being taken over, although it is not clear right now whether the hackers even attempted to assume control of his account.
On the plus side, Apple just made its first public tweet ever.
Looks like the heist netted around $118,000. A pittance compared to the disruption it caused.
Brian Krebs (also: Hacker News):
Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
Previously:
Update (2020-08-03): Bruce Schneier (also: MacRumors):
Motherboard is reporting that this week’s Twitter hack involved a bribed insider. Twitter has denied it.
Earlier this year, two Twitter employees were allegedly bribed by the Saudi Arabian government to track dissidents. If humans are, indeed, the greatest security vulnerability within any company, Twitter needs to do far better. It did not ask to be a broadcast arm for weather services and world leaders, but that’s what it has become — and it is clear that it is unprepared for that reality.
Nathaniel Popper and Kate Conger (via tweet, John Gruber, Hacker News):
But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.
The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.
Twitter (via John Gruber):
The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.
[…]
For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool.
This kind of attack is known as a “class break.” Class breaks are endemic to computerized systems, and they’re not something that we as users can defend against with better personal security. It didn’t matter whether individual accounts had a complicated and hard-to-remember password, or two-factor authentication. It didn’t matter whether the accounts were normally accessed via a Mac or a PC. There was literally nothing any user could do to protect against it.
[…]
The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people’s accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.
The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter.
So, hackers got access to Twitter accounts (including all of the accounts data) via the company’s internal support tools. Could the same happen with iCloud?
It’s a good time to remind you that most of the iCloud data is not end-to-end encrypted, Apple holds the keys.
I as a lowly external offsite contractor had access to the name, address, and phone number of every member of the Apple developer program. In other words, you.
For no good reason other than this data was not specially protected.
I contracted at Apple in the early 90s. I am extraordinarily grateful for the extent to which they trusted engineering so that internal security did not impede productivity. It was a simpler time, a more civilized age.
Twitter will also show new and unrecognized logins on the Notifications page and send the user an email. I cannot think of a good reason why a similar notification should not be displayed when an engineer accesses private information in a user’s account — with the exception of criminal investigations when Twitter or Facebook would be prohibited from doing so. Ideally, employees should have to get some sort of confirmation from a user before their account is able to be accessed.
The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.
My guess is that they’re saying that the attackers targeted low-level employees via the phone, tricked them into revealing details, and used those details to (here’s where the guessing starts) impersonate them on Twitter’s internal Slack. Then, impersonating them on Slack, they tricked other employees into giving them access to these incredibly sensitive account management tools?
Early on July 31st, the FBI, IRS, US Secret Service, and Florida law enforcement placed 17-year-old Graham Clark of Tampa, Florida, under arrest.
[…]
Specifically, he allegedly convinced a Twitter employee that he worked in the Twitter IT department and tricked that employee into giving him the credentials.
Update (2020-10-20): NY Department of Financial Services (via Hacker News):
This Report reviews the facts surrounding the Twitter Hack, the reasons why it occurred, and what could be done to prevent future incidents. The Report also recommends steps for improved cybersecurity oversight of large social media companies.
9 Comments RSS · Twitter
Breach aside, apparently not answered so far:
why does any Twitter employee have an interface to seemingly impersonate other Twitter accounts?
why can that interface read direct messages?
@Sören I can't speak to Twitter specifically, but impersonating users can be extremely useful for both debugging (product side) and assisting customers (support side). Twitter is far from the only company with internal tools that allow for this.
@Nigel While this is a charming hypothetical, the notion that Twitter assists customers or offers any support is simply to much of a falsehood to ignore. Every aspect of this interface is inexcusable.
@Federluigi I’m not trying to excuse the Twitter hack, only to explain why this particular ability exists based on having used it at another company. Twitter obviously has a product dev team, and they do also have customer support, even if it’s not in the form of a phone number or email address that anyone can contact. There is a very real need that a tool like this serves. This isn’t the only solution for that need, but I think it’s important to recognize why it exists in order to come up with a better solution.
For the record, I think it’s incredibly shitty that employees at Twitter or Facebook or wherever have access to my DMs. Or that an employee at my ISP can look through my entire browsing history. Or that hackers could interfere with an election by accessing and abusing a Twitter admin tool.
Employees at consumer tech companies often have broad access to customer data. (Remember Uber’s “god mode” tool that let employees see where any user was going?) These things aren’t the exception, they’re almost a byproduct of cloud based services.
Maybe we should be considering industry-wide regulations around encryption of user data. But most governments seem more interested in weakening encryption. So here we are.
better question, why do people let companies like Twitter manage their online identities?
brrrraaannnddsssssss
I can’t speak to Twitter specifically, but impersonating users can be extremely useful for both debugging (product side) and assisting customers (support side).
Oh, sure. I’ve written such tools before, and can see the potential uses. I want Twitter to make their actual justification, though. I’d expect most Twitter users have no idea an employee (apparently, a reduced number of employees, following the hack) can give themselves access to their account.
And it does sound like usage of the tool doesn’t come with consent, or with an audit trail.
>the notion that Twitter assists customers or offers
>any support is simply to much of a falsehood to ignore
Twitter definitely assists customers and offers support, just not to people like us.
And while impersonation features are useful for providing support and debugging issues, it's still irresponsible for a company like Twitter to have such features. They plainly don't take the protection of their users' personal data seriously.