Quantcast
Channel: July 2020 – Michael Tsai
Viewing all articles
Browse latest Browse all 69

Hackers Convinced Twitter Employee to Help Them Hijack Accounts

$
0
0

Joseph Cox (also: Jack Dorsey, Twitter Support, Jason Koebler, SwiftOnSecurity):

A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.

On Wednesday, a spike of high profile accounts including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama, Uber, and Apple tweeted cryptocurrency scams in an apparent hack.

[…]

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.

Nick Statt:

One notable exception in the attack was the account of President Donald Trump. The New York Times is now reporting that Trumps’s account has special protections in place following past incidents — including when a third-party Twitter contractor used internal company tools to deactivate the president’s account in 2017. Those protections may have spared Trump’s account from being taken over, although it is not clear right now whether the hackers even attempted to assume control of his account.

Quinn Nelson:

On the plus side, Apple just made its first public tweet ever.

John Gruber:

Looks like the heist netted around $118,000. A pittance compared to the disruption it caused.

Brian Krebs (also: Hacker News):

Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.

Previously:

Update (2020-08-03): Bruce Schneier (also: MacRumors):

Motherboard is reporting that this week’s Twitter hack involved a bribed insider. Twitter has denied it.

Nick Heer:

Earlier this year, two Twitter employees were allegedly bribed by the Saudi Arabian government to track dissidents. If humans are, indeed, the greatest security vulnerability within any company, Twitter needs to do far better. It did not ask to be a broadcast arm for weather services and world leaders, but that’s what it has become — and it is clear that it is unprepared for that reality.

Nathaniel Popper and Kate Conger (via tweet, John Gruber, Hacker News):

But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.

Twitter (via John Gruber):

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.

[…]

For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool.

Bruce Schneier:

This kind of attack is known as a “class break.” Class breaks are endemic to computerized systems, and they’re not something that we as users can defend against with better personal security. It didn’t matter whether individual accounts had a complicated and hard-to-remember password, or two-factor authentication. It didn’t matter whether the accounts were normally accessed via a Mac or a PC. There was literally nothing any user could do to protect against it.

[…]

The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people’s accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.

The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter.

Thomas Clement:

So, hackers got access to Twitter accounts (including all of the accounts data) via the company’s internal support tools. Could the same happen with iCloud?

It’s a good time to remind you that most of the iCloud data is not end-to-end encrypted, Apple holds the keys.

Jeff Johnson:

I as a lowly external offsite contractor had access to the name, address, and phone number of every member of the Apple developer program. In other words, you.

For no good reason other than this data was not specially protected.

Ron Avitzur:

I contracted at Apple in the early 90s. I am extraordinarily grateful for the extent to which they trusted engineering so that internal security did not impede productivity. It was a simpler time, a more civilized age.

Nick Heer:

Twitter will also show new and unrecognized logins on the Notifications page and send the user an email. I cannot think of a good reason why a similar notification should not be displayed when an engineer accesses private information in a user’s account — with the exception of criminal investigations when Twitter or Facebook would be prohibited from doing so. Ideally, employees should have to get some sort of confirmation from a user before their account is able to be accessed.

Twitter:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.

John Gruber:

My guess is that they’re saying that the attackers targeted low-level employees via the phone, tricked them into revealing details, and used those details to (here’s where the guessing starts) impersonate them on Twitter’s internal Slack. Then, impersonating them on Slack, they tricked other employees into giving them access to these incredibly sensitive account management tools?

Sean Hollister:

Early on July 31st, the FBI, IRS, US Secret Service, and Florida law enforcement placed 17-year-old Graham Clark of Tampa, Florida, under arrest.

[…]

Specifically, he allegedly convinced a Twitter employee that he worked in the Twitter IT department and tricked that employee into giving him the credentials.

Update (2020-10-20): NY Department of Financial Services (via Hacker News):

This Report reviews the facts surrounding the Twitter Hack, the reasons why it occurred, and what could be done to prevent future incidents. The Report also recommends steps for improved cybersecurity oversight of large social media companies.


Viewing all articles
Browse latest Browse all 69

Trending Articles