Security incident that allowed attackers to hijack high-profile accounts suggests social media giant’s controls for spotting insider abuse were not strong enough, security experts say.
Last week’s security breach at Twitter, which resulted in attackers sending out tweets on behalf of several high-profile individuals, has focused attention once again on the challenges organizations face in protecting accounts with privileged access to internal systems and data.
In an update over the weekend, Twitter said its investigations so far showed that someone used social engineering to obtain credentials belonging to a small number of employees and then used those credentials to somehow bypass two-factor protections and access a key internal system.
The attackers used their access to target 130 Twitter accounts, including several belonging to high-profile individuals such as Democratic presidential hopeful Joe Biden, former president Barack Obama, and business leaders including Bill Gates, Jeff Bezos, and Elon Musk.
With 45 of the accounts, the attackers were able to reset the passwords, log into the accounts, and send out tweets — all without alerting the account owners until after the fact. The tweets urged users to send Bitcoin to an address contained in the message within a specific period and get double the amount in return.
With eight of the compromised accounts, the attackers were additionally able to download detailed information about their Twitter profiles using the “Your Twitter Data” tool. The data that the attackers were able to access included usernames, email addresses, phone numbers, login history — including login IP and location information — the browsers and mobile devices associated with the accounts, blocked and muted accounts, and entire tweet history.
“There is a lot speculation about the identity of these 8 accounts,” Twitter conceded in a tweet July 17. “We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.”
The social media giant said it is continuing to review all of the actions the attackers might have taken using the compromised accounts and said evidence suggests that attempts may have been made to sell at least some of the usernames.
Melody Kaufmann, cybersecurity specialist at Saviynt, says the hack is indicative of major security failures at Twitter on multiple fronts. First off, it appears that too many individuals within the company had access to verified accounts. There are also questions over whether Twitter had controls to ensure that no single individual could alter trusted accounts without some sort of oversight and approval — a recommended practice for protecting against privileged account abuse.
“By integrating some measure of cross-checking, it ups the challenge in executing such an attack as it now requires multiple accounts or individuals with privileged access to be compromised at the same time,” Kaufmann says.
Privileged Account Abuse
A report by the The New York Times, based on conversations with some of the individuals allegedly involved in the attacks, suggests a handful of unconnected individuals — rather than a sophisticated gang or nation-state actor — was behind the incident.
According to the Times, a hacker using the handle “Kirk” somehow gained control of an admin panel at Twitter that allowed him to take over almost any Twitter account. The hacker then apparently worked with at least two other individuals with the handles “lol” and “ever so anxious” to try and sell Twitter accounts to cybercriminals. “Lol,” who the Times described as in his 20s and living in the West Coast, and “ever so anxious,” a 19-year-old in the South of England, apparently facilitated the sale of some compromised Twitter accounts and the takeover of some lesser-known Twitter accounts, but not the high-profile ones.
A CNN report, based on conversations with former Twitter employees, describes the tool that Kirk likely had access to as an administrative platform known as “agent tools” or “Twitter Services UI,” which allows employees to respond to customer service queries and moderate content. Hundreds of Twitter employees have access to such tools, CNN says.
Lack of Controls
Tony Howlett, CISO at SecureLink, says that based on the hackers’ apparent ability to take over accounts so easily, it’s probable that Twitter was not doing any fraud analytics to catch submissions from odd locations, times, and other factors.
“This technology is commonplace for our credit cards and bank accounts, so why wouldn’t they use it for their VIP accounts, which encompass leaders and rulers of most government entities on the planet?” Howlett asks.
It also wouldn’t have been a bad idea for Twitter to have some kind of keyword filters so if a major company’s CEO or a former president suddenly started tweeting about Bitcoin, it would have known something was up, he says.
“Based on the publicly available information, which is minimal at this point, it looks like this incident is mostly on Twitter,” Howlett says.
According to Kaufmann, the attack also suggests that Twitter needs to improve the tracking of logs for this administrative interface. It should have been able to spot a support person or privileged account taking administrative actions on a greater percentage of verified accounts relative to their peers.
“This simple step alone would have flagged that a user was compromised early on in the attack,” she says.
The Twitter attack has raised considerable concern, including among US lawmakers, because of just how influential the platform has become in recent years.
Politicians, activists, and numerous others from around the world use Twitter widely for everything from making policy announcements and communicating business and trade decisions to expressing opinions and garnering support for various cause. Many have said the attackers could easily have used their access to create substantial havoc by tweeting misleading information on behalf of some of the most influential people on the platform.
“Influence has become a form of currency with which a lot of things can be bought,” Kaufmann says.
In showing how even secure, verified Twitter apps can be hacked, the attackers might have been trying to damage Twitter’s credibility and cast a shadow of doubt on legitimate statements by high-profile individuals, she adds.
“The other possibility is to potentially compromise such accounts in the future and disseminate altered messaging in more subtle ways to leverage their influence to impact state and national issues,” Kaufmann says.
Register now for this year’s fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio