I don't know how the account was compromised - but, I notice that Twitter's hardware U2F support is not designed to be very useable. They only allow one security key per account, whereas most users have multiple - one on the keychain, one left in the laptop, etc. So, I bet that high-risk accounts like Jack are not even using this enhanced security mode because of its poor user experience.
Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/
Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.
You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
Yeah. On Twitter you can potentially impersonate the President and cause weeks/months of political chaos by calling someone the N-word or something similar.
I use U2F everywhere and can tell you that Twitter's usability with U2F is really poor. Can't remember why I stopped using U2F on twitter, but it's probably because of that fact that I couldn't use multiple keys.
I'll be interested to see the post-mortem on this breach for sure.
As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.
Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...
I don't think "keep very close tabs on" can prevent an attack on an account before it happens. All it can do is help clean up the damage quickly. Which is what happened here. The offending tweets were deleted in 10-15 minutes. That's a pretty good response time.
What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.
I'd agree that there are always trade offs however, you could do a number of things to detect an active attack, changes in user agent, location etc can be detected and flagged for review. Now that's not possible at scale, but for high value users,it would seem like a not outrageous countermeasure.
I believe they do keep close tabs on high profile accounts. I happened to notice it in my feed when the news hadn't broken out yet (took a couple of screenshots out of surprise too). The team quickly took all of it down as and when they were being posted. It lasted for about 10minutes or so. The hackers were adding mentions to other accounts which were immediately suspended by the folks at Twitter too.
Hopefully if that's the case, more attention will be paid to the fact that using mobile phones for 2FA or identification on high value services is a bad idea :)
Self-hosting and security don't necessarily go hand-in-hand. For laypeople, self-hosting is usually worse: they don't know what threats to protect against, and even if they knew what to protect against they wouldn't know how.
The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.
Because people in the same timezone are mostly at lunch and starting to relax for the weekend, so the potential audience is large. I wasn't thinking of anything market-related as another person suggested.
At first I thought the blame would be mostly on the cell providers but it seems Twitter deserves at least half the blame here.
I just tested the flow. If your phone is linked to your account, regardless of your 2FA settings you can just start tweeting to your account by texting to 40404 without being asked to enter a password and completely bypassing any 2FA settings on your account.
That seems highly unusual to me. Most of these attacks happen with the hacker knowing the password as well. In this case, so long as you’ve successfully ported the number you’re “in”.
Even worse than that, removing your phone number will _silently_ disable all other 2FA methods, even if you already had SMS 2FA turned off. The only way to prevent your phone number from being used in account recovery is to disable 2FA altogether, because Twitter does not allow any 2FA without a phone number attached to the account. It's appalling.
And a reply to that tweet mentions that it was used to hack other accounts before:
"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."
seems like a a waste of a hack posting some messages that are quickly deleted and forgotten with no long term gain. I would have done the eth/btc giveaway scam thing and at least made good $ off it. Its like being smart in some regard, such as hacking, but dumb in others , such as maximizing the gain from the hack.
Doing so would make it really easy to trace it back to him, if he decides to make a trade big enough. The data of all trades on public markets is, after all, public.
The "hacker" called AT&T and conned the call center rep into swapping Jack's SIM. It's not like they exploited a buffer overflow on Twitter's authentication service or something. They aren't smart.
I guess this is the "in for a penny, in for a pound" school of thought?
(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)
This is currently on every news channel and the content was pure trolling, no politics or agenda besides pushing some Discord channel. So seems like a win to me.
Readit News
Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/
You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein...
Deleted Comment
As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.
Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...
What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.
That control should not be solely in Twitter's hands.
Those leaders and orgs need to take a strong look at authenticity via ActivityPub self-hosted on their own namespaces.
And Twitter is where the audience is.
The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.
1pm is sophisticated in which timezone?
Dead Comment
I just tested the flow. If your phone is linked to your account, regardless of your 2FA settings you can just start tweeting to your account by texting to 40404 without being asked to enter a password and completely bypassing any 2FA settings on your account.
That seems highly unusual to me. Most of these attacks happen with the hacker knowing the password as well. In this case, so long as you’ve successfully ported the number you’re “in”.
https://twitter.com/gruber/status/859857475146854402
https://twitter.com/bhaggs/status/1090016722415845376
"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."
https://www.marketwatch.com/story/to-catch-a-thief-how-nasda...
(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)
So does the president
Dead Comment