on
Twitter's Account Takeover Disaster
For those out of the loop, Twitter has just had a very, very, very bad day.
At time of writing they haven’t given an official post mortem, something that will definitely be needed for them to regain even an ounce of trust from their users; most of which already dislike the platform. Twitter has demonstrated what most people who work in the industry already know: your security is only as strong as your staff, whether that be your developers or, in Twitter’s case, your support team.
(source)
So what actually happened? (The short version)
The summary of the facts as they stand is this:
- A large selection of high profile celebrity accounts advertised a Bitcoin Ponzi scam: “Send me your money and I’ll send twice as much back”
- A selection of people fell for it, netting the scammers who’d broken into the accounts roughly 110k USD.
- Twitter support took a few hours to shut the whole thing down (and was still cleaning up for a while after that)
- Vice managed to get in touch with the “hackers” who revealed that a Twitter employee gave them access
How’d they do it?
The answer is rather underwhelming, most evidence and accounts point to the attackers bribing or social engineering a Twitter employee to hand over their God mode staff account. This theory was later confirmed by Twitter Support (in my opinion this doesn’t directly rule out the potential for a bribe)
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
Yep, that’s it.
From there, they disabled 2-factor authentication, reset emails and passwords, and waltzed in the front door.
The tweet above (direct link) is a bit at ends with Vice’s article, which states the following:
“We used a rep that literally done all the work for us,” one of the sources told Motherboard.
Hackers Convinced Twitter Employee to Help Them Hijack Accounts - Motherboard, Tech By Vice
The difference in stories is to be expected, at this stage there is most likely a PR firm consuming coffee by the litre, planning out how to respond to this while the engineers at Twitter desperately try to fulfill the claims of the aforementioned PR firm.
While the above is speculation there is one thing for sure:
Not much sleep is being had, and a lot of very important decisions are being made very quickly.
It’s the crucial first response of a security incident that sets the tone for the response down the track.
The fallout and some speculation
The fallout for this event is hard to gauge, and it’s going to be hard to see clearly for some time.
Immediately, it stirred a bit in US politics, with a Republican senator contacting Twitter to ask if Donald Trump’s account was affected. The fact that it wasn’t might come as a surprise, given the potential for mayhem. This caused many to point fingers at Russia, which would’ve been potential if there weren’t now additional protections due to a Twitter staff member deleting Trump’s account in November 2017.
But, despite Twitter’s protection on Trump, ex-presidential candidate Mike Bloomberg was also affected, showing that the protections only extended so far (my guess is just Trump and Twitter’s CEO). The lack of protection from impersonation will most likely spur further governmental inquiry into how Twitter handles security, which may culminate in Twitter CEO Jack Dorsey being dragged in front of Congress once more.
But, while politics may be interesting…
The biggest and most interesting part of the fallout will be learning the motivation behind the Bitcoin scam:
Did someone social engineer a Twitter employee to scam money with one of the most basic moves you can pull
Or
Was it a smokescreen for harvesting DMs/Private Info/Whatever?
Within the infosec (ie: computer security nerds) community, there’s a large amount of surprise and questioning of why someone with the golden ticket to Twitter’s systems would leverage it on a Bitcoin scam as they did, which would be a headache to cash out properly.
It's like managing to sneak into Fort Knox and then running off after stuffing your pockets full of quarters
— Pwn All The Things (@pwnallthethings) July 16, 2020
The attack makes even less sense when you consider the difficulty in laundering large amounts of Bitcoin. There are services that can “clean” Bitcoin, but this gets harder and potentially pricier the more you have.
To further illustrate why this is difficult, it’s been leaked that the FBI closely monitors funds moving around the very publicly viewable Bitcoin network (source). If the hackers are US based, they’re looking to be in a world of hurt, especially with no way to easily flee the country in the current pandemic.
Some people so strongly believed that Bitcoin was a poor choice, so they sent the attackers messages in the form of transactions via vanity (i.e. specially crafted) Bitcoin addresses:
1JustReadALL1111111111111114ptkoK 0.00000666 BTC
1TransactionoutputsAsTexta13AtQyk 0.00000667 BTC
1YouTakeRiskWhenUseBitcoin11cGozM 0.00000668 BTC
1forYourTwitterGame111111112XNLpa 0.00000669 BTC
1BitcoinisTraceabLe1111111ZvyqNWW 0.00000670 BTC
1WhyNotMonero777777777777a14A99D8 0.00000671 BTC
Transcription:
“Just read all transaction outputs as text. You take [a] risk when you use Bitcoin for your Twitter game. Bitcoin is traceable. Why not Monero[?]”
Monero is another cryptocurrency, which focuses more on privacy.
A final interesting bit of note is the presence of a “search blacklist” button on the leaked Twitter screenshots within the Vice article. this backs up Vice’s claims that Twitter is “shadowbanning” users on the platform (see this NY Times article). This bit of note was pointed out to me by a coworker, so I have to give them credit in spotting it.
To add further weight to this, not only did Twitter vehemently deny the claim, they did so in front of congress (see also, The Verge’s coverage).
I have to admit, this casts doubt in my mind on the authenticity of the screenshots provided by Vice, which got shredded in the linked articles. The UI for the moderation tools also clash with Twitter’s design philosophy slightly, but that could just be lack of polish on an internal tool.
All in all, I’m left with many burning questions, sadly few of which I anticipate receiving a sound answer to.
A special thanks to the wonderful people over at The Many Hats Club for helping me edit this, especially Arszilla ♥