
More than 1k people at Twitter had ability to aid hack of accounts - theBashShell
https://www.reuters.com/article/us-twitter-cyber-access-exclusive/exclusive-more-than-1000-people-at-twitter-had-ability-to-aid-hack-of-accounts-idUSKCN24O34E
======
laughinghan
_accounts with more than 10,000 followers should at least need two people to
change key settings_

For accounts that could start a war this might be necessary, but for
celebrities with >10K followers this sounds expensive and unnecessary to me.

To me, it seems like you could instead ensure the admin view of every account
has a timestamped log of recent settings changes, including changes done by
admins, with a link to the profile of the admin responsible, and a button to
suspend that admin account with one click.

This way, the security team could've seen that Elon Musk's account had just
been reset by J. Random Employee minutes before tweeting the suspicious
bitcoin tweet, messaged J. on Slack to be like "hey did you do that?", and
suspended the compromised admin account within minutes.

Sure, some accounts might be briefly compromised initially, but it would be
resolved in minutes and not the _hours_ that it took Twitter, right? That
seems fine for what _should_ be a relatively low-likelihood, high-expense
attack like compromised admin account (of course, you have to ensure that is
the case).

~~~
jameshart
‘Two people’ misses the entire problem here.

If twitter ‘verified’ means anything, it means a chain of identity has been
established between Twitter and the purported owner of that account. That
chain should be documented somewhere - there must be some record in the
‘verified account management’ system that says something to the effect of
‘after we gave this actual verified human this token, this email from this
address arrived on this date containing that token, establishing that this
person had control over that email address on that date’.

If random twitter admins can change the email address and disable 2fa on
verified twitter accounts, and those accounts can still publish tweets without
them going into a ‘held pending verification that the blue check mark still
applies to the person now in control of that account’ queue, then twitter
verification doesn’t mean much.

Which might be of interest to organizations like the SEC who hold that
communications over a verified twitter account count as official corporate
notices, and various public safety organizations that have let it be known
that messages on their twitter can be relied on as a source of official
information during natural disasters...

Twitter needs to get serious about blue checks.

~~~
kanox
> If twitter ‘verified’ means anything, it means a chain of identity has been
> established between Twitter and the purported owner of that account.

Not really, a blue checkmark is just a status symbol.

~~~
Jaruzel
This is exactly the problem with the blue tick. It's basically meaningless
other than as a budge of honour. It's also restricted to large companies and
'public' figures.

What I'd like to see is, the Blue Tick being restored to be an actual mark of
Verification, and be something that _anyone_ can apply for with the
appropriate identification documentation.

Additionally, there should then be a toggle switch, where only Verified
accounts see tweets and replies from other Verified accounts[1]. This would
effectively create two Twitters; one where every account is identifiable and
accountable for what they tweet, and another that continues with the anarchic
system they have now, where hate speech, racism and intolerance run rife[2].

\---

[1] I've heard rumours that this toggle switch already exists on Verified
accounts - can anyone confirm ?

[2] Yes, free speech may be trapped here too, unless some sort of middle
ground can be worked out.

~~~
joosters
Sounds just like the 'real names' policy that Google and Facebook have tried
before. That never made any difference to hate speech, racism and intolerance,
so why do you think it will magically make Twitter better?

~~~
chrononaut
I can imagine at minimum this would help with bots. Considering the problems
you state are actual systematic issues we have in our society I would expect
that the verification process should not be perceived as working towards
solving those.

~~~
C1sc0cat
It would also exclude venerable people which is the problem with the real name
idea

~~~
anonymfus
We can imagine a system where twitter checks that person is a real unique
human but does not use their personal data for anything else.

~~~
suizi
Like when they used mobile phone numbers given for security purposes for
marketing?

------
throwaway220720
For comparison, at Google in 2011, I was one of ~10 or so engineers that had
the ability to view private Gmail or Gplus data (access that was heavily
documented and audited).

That being said, Google did have to go through it's own public humiliation [1]
to put a system like that in place.

[https://gawker.com/5637234/gcreep-google-engineer-stalked-
te...](https://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

~~~
koheripbal
I almost wonder if government officials should be outright banned from using
any private messaging platform that isn't hosted by the government itself.

There is just too much power in information.

~~~
necovek
I believe to an extent they are: Hilary Clinton's hacked email was not the
govt provided one, and most of the flack she received was for using personal
email for gov stuff at all.

------
akersten
Kind of sensationalist. There's thousands of people that have the ability to
drain your bank account right now. Your average call center employee wields
immense power. The real story here is Twitter's lack of spear-phishing
training for their support staff, not _support employees have access to
support tools_.

~~~
dguido
It's not sensationalist when you realize it directly contradicts Twitter's
prior statements from just last year about it:

> Twitter, in a statement, said it is aware that "bad actors" will try to
> undermine its service and that the company "limits access to sensitive
> account information to a limited group of trained and vetted employees."

[https://www.npr.org/2019/11/06/777098293/2-former-twitter-
em...](https://www.npr.org/2019/11/06/777098293/2-former-twitter-employees-
charged-with-spying-for-saudi-arabia)

1,000 people, including contractors outside the company, is not a "limited
group of trained and vetted employees." It's news because they misled people
about their security, again.

~~~
ceejayoz
> 1,000 people, including contractors outside the company, is not a "limited
> group of trained and vetted employees."

That's not necessarily true. 20% of the company could fairly reasonably be
deemed "limited", and there being a thousand of them doesn't mean they're not
trained on their tasks.

~~~
dorkwood
Today I learned that Twitter has 4,600 employees. What are they all doing?

~~~
vangelis
They have 35 offices, I assume it adds up.

~~~
dorkwood
Oh, right. That makes sense.

------
dreen
I remember during my time with a large mobile carrier in UK I was told of a
person in the company who could in theory read any SMS on the network. Mind
you this was literally one person for over 30 million customers. He had a high
security clearance, extensive security training and the powers vested in him
were used mainly to identify scammers and other criminals.

Pretty sure this was a requirement set by law - we need someone to be able to
do this, but lets make sure they know what they're doing. It is very weird we
dont place the same requirements on social networks.

~~~
ummwhat
Social networks were never supposed to be important or serious in the same way
as phone networks. I would argue they still aren't. At the bottom, they are
just time waster websites. You wouldn't demand that level of security of a php
forum would you?

~~~
dreen
At a certain threshold yes I would, if it served millions of people. A small
ISP can get away with terrible security but once they start having millions of
customers someone is going to sound an alarm. A forum, written in any
language, should be no different. I realise there are challenges in making
this happen but they are not unrealistic.

------
jbob2000
I now understand why the bank I work for creates the separation of duties; the
person who builds the system has no access to it, and the person with access
has no idea how it works.

As a developer, it frustrates the shit of out me because I can’t deploy fixes
quickly or easily diagnose issues.

But yep, there are 3 people that have access to the production databases that
hold account info and they aren’t developers, just managers with no clue what
to do once they log in.

I also worked for a company that sold software to lawyers. We had a feature
that would alert the client any time a member of our company accessed their
data. I think we called the feature something like “fire call”, because if you
tripped it without informing the client, you’d get a call informing you that
you’d been fired.

~~~
lowdose
> there are 3 people that have access to the production databases that hold
> account info and they aren’t developers, just managers with no clue what to
> do once they log in.

Just for my curiosity is this your observation or is this a company
assumption?

~~~
jbob2000
Hmm I think it’s just our group, we have a Production support team that holds
the keys, and there’s only 3 of them that can access my app.

For example, if I want to change an environment variable, I can’t just log
into the cloud console or run a cli command. God no. That would be too easy. I
have to write a script for this team to run. This script is entered into an
authorization app where a few parties “sign off”, at which point the prod
support team can log in to the authorization app and click Deploy. This app
then runs my deployment script against our app container to update the env
variable.

Accessing and doing DB work follows a similar process.

~~~
ladberg
Reading this makes me happy! Always good to see people taking security
seriously.

~~~
rutthenut
Yep, this is how strict change control needs to work - if it can be
streamlined, all well and good, but not by removing the checks and balances
that can help prevent operational issues (not just fraud issues)

------
sloshnmosh
Ha!

Did you see in that article that the head of cyber security for AT&T added his
two cents in shaming Twitter?

AT&T was just in the news recently where employees were accepting bribes that
allowed criminals to swap SIMs steal bitcoins from AT&T customers.

Unbelievable.

~~~
tialaramex
I have a lot of sympathy for the telcos on this.

They did not volunteer telephone numbers as universal proof of ID. So their
threat model was proportional to their intended purpose of the identifier. If
bad guys steal your phone number and run up $100 of calls, the phone company
would eat the charges and get the number back. Of course nobody did that
because it wasn't worth it.

Imagine you own a medium-sized residential building, maybe 20 households live
there. You issue them all with front door keys. You use pretty good locks,
from a no-duplicate series that isn't trivially picked by amateurs. You figure
that picking the door or forging a key would be pretty hard so there's no way
it's worth it when someone could just kick it down.

Then, to your astonishment, a local jewellery store announces that anyone who
has one of your front door keys can now store up to $1M of valuables in safes
they've made accessible from the street. "It's totally safe" they assure your
residents, "because how could anybody else get one of these front door keys?
That'd be impossible".

Um. What? Before you know what's happening, one of your residents is trying to
sue you for a million dollars because they proudly used a safe to store their
$1M of Bitcoins for some crazy reason and (duh) somebody just got a duplicate
key easily enough for way less than $1M and stole them.

~~~
bigiain
They not only "did not volunteer" to be a secure identity provider via SMS,
they've been actively warning against it for almost a decade:

[https://www.itnews.com.au/news/telcos-declare-sms-unsafe-
for...](https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-
transactions-322194)

Telcos declare SMS 'unsafe' for bank transactions

By Brett Winterford Nov 9 2012

Communications Alliance chief executive John Stanton, representing the
interests of mobile providers Telstra, Optus and Vodafone, took the
extraordinary step of of declaring the technology insecure in the wake of
numerous reports of Australians being defrauded via a phone porting scam first
uncovered in Secure Computing magazine.

"SMS is not designed to be a secure communications channel and should not be
used by banks for electronic funds transfer authentication," Stanton told
iTnews this week.

------
pmiller2
This is why internal tools that can modify account settings and such need to
have audit trails.

~~~
ceejayoz
It probably does, and it probably wouldn't have stopped this.

------
uallo
I created a Twitter account close to a month ago and it was immediately
suspended because it "appears to have exhibited automated behavior that
violates the Twitter Rules". Well it did not really do anything yet, even less
so anything against their rules. The account is still suspended despite
multiple appeals and messages.

At the same time, dozens (hundreds?) of verified accounts get taken over. I
think their fraud detection systems are total crap.

~~~
ecmascript
They do this for all new accounts. It's a way to harvest phone numbers from
unsuspecting victims of this surveillance.

It doesn't matter from what ip, machine or whatever you register. It will
automatically get suspended because I think they've realized it's easier to
force people to enter their phone numbers in "protection" after they just
created an account rather than to just ask for it during signup.

Less questions are asked. I wrote a blog post on my now deleted blog, but
discussions on HN was here:
[https://news.ycombinator.com/item?id=19487304](https://news.ycombinator.com/item?id=19487304)

~~~
suizi
[https://www.theverge.com/2019/10/8/20905383/twitter-phone-
nu...](https://www.theverge.com/2019/10/8/20905383/twitter-phone-numbers-
email-addresses-targeted-advertising) Twitter caught using phone numbers for
marketing purposes.

------
dzonga
twitter, seems to have a cowboy engineering culture. that's why one of their
exec's blamed rails for their failure to combat harassment[0]. n I bet now, if
they still ran rails, it would've been blamed lol.

[0]: [https://char.gd/recharged/daily/twitter-blames-ruby-on-
rails...](https://char.gd/recharged/daily/twitter-blames-ruby-on-rails-for-
harassment)

~~~
DetroitThrow
"...a rudimentary web-application framework that made it nearly impossible to
find a technical solution to the harassment problem"

To me, this is analogous to the perhaps undeserved "the internet is a series
of tubes" lampooning, but I'm still chuckling how they managed to word that so
poorly.

~~~
spoopyskelly
It sounds like a perfect answer to those claiming "harassement" is a
technology problem.

------
anonunivgrad
Should there be citizenship requirements for access to customer data at that
scale? Background checks? Security clearances?[1] When you have so much
private data and the ability to put words into people’s mouths, aren’t you a
national security asset at that point? Today it’s some bitcoin scammers,
tomorrow it’s Russian or Chinese intelligence. If I was in charge of Russian
or Chinese intelligence, I’d make sure that my citizens working inside these
companies are using that data to my advantage, or are at least positioned to
should an opportunity arise.

There is already tons of evidence of Chinese nationals coming to the US to
work at these companies with the express purpose of stealing trade secrets and
sending them back to China. Why would the Chinese government stop there? How
about your personal emails, your Twitter DMs, etc.?

Citizenship is loyalty. That is what it means legally and what it has meant in
practice. Especially if your family is still in your country of citizenship.

Yes, this would mean the international segmenting of the internet, at least in
terms of which websites you plug your personal data into vs. “just browse”.
This strikes us nerds as awful. But perhaps anything else was just a naive
fantasy. The last decade should have shattered our innocence. What happens
online matters for great power politics, and great power politics matters a
lot for ordinary people.

[1] The current security clearance process is at least partly a jobs programs
for people with boring, unadventurous youths. I’m not advocating for that,
just the principle of a security clearance.

~~~
scohesc
You know, I used to think that locking down certain websites to citizens of
the country the website resides in was a bad thing.

Now with the advent of all these apparent "bots", "state actors", etc. etc.
I'm starting to think it might not be a bad idea.

There's a bunch of "what-ifs" however like "what if the government starts
removing content it doesn't like", "should you be able to be banned from the
platform?", etc.

~~~
anonunivgrad
At least within the US, I think sufficiently large platforms should not be
allowed to censor on the basis of viewpoint. But that is exactly the kind of
political question that nation states, not international forces, should be
answering.

~~~
suizi
The biggest problem is we've allowed them to become so big they're capable of
doing that. The rise of censor culture hasn't helped and is heaped on by
advertisers and the media.

------
Laforet
Right, thousands of people with admin access and nobody could help me
reinstating my API access....

~~~
OffensiveTomato
Apparently you gotta have that coveted Verified badge or be an influencer of
some sort

------
KingOfCoders
There is all this talk from those successful companies about security and what
you should do with your keys and they open source hardware secret stores and
brag about it and they fail at the most basic security operations.

------
vlqubed
I wonder if they automatically turned off log in with twitter to other
websites. Seems like the bigger hole is that they can use these credentials
for any people using twitter to log in using oauth.

------
alpb
Worth mentioning only 5,000 people work at Twitter.

~~~
Jaruzel
There are ~330 million active twitter users, which means 330,000 users per
employee with access to admin accounts.

That ratio is massively high compared to a large corporate (i.e, a global
bank). In a typical global bank lets says there are 100,000 employees, with
about 25-50 IT people with the rights to admin accounts (from first line
support to third line engineers) that's only 2,000-4,000 users per IT admin
person.

Based on that, I'm surprised that it's only 1,000 staff members in Twitter
with admin access, and not the whole company.

~~~
alpb
I am not sure why this bank example keeps coming up. Almost no twitter user
tries to contact support like they contact their teller for their bank. It’s
really bad that 20% of the company had access to user data. No wonder it was
abused in the past. [https://www.buzzfeednews.com/article/alexkantrowitz/how-
saud...](https://www.buzzfeednews.com/article/alexkantrowitz/how-saudi-arabia-
infiltrated-twitter)

------
austincheney
This should be a wake up call. Thank god the malicious messaging was only
limited to a tiny Bitcoin scam. Imagine if they had pulled this off on the
accounts of national leaders to stir hostilities or violence.

What is the recourse for this kind of failure? I suspect there is none.
Twitter is shielded from lawsuits for its content. If this is provably
negligent behavior and resulted in actual physical harm it are we supposed to
do nothing and simply hope it never happens again?

I cannot fathom what I would do if I were in the position of Timothy
Klausutis: [https://www.washingtonpost.com/politics/widower-of-late-
joe-...](https://www.washingtonpost.com/politics/widower-of-late-joe-
scarborough-staffer-seeks-removal-of-trump-tweets-that-promote-baseless-
conspiracy-theory/2020/05/26/cf06257a-9f45-11ea-b5c9-570a91917d8d_story.html)

~~~
suizi
GDPR is "supposed" to hold companies responsible for breaches and bad access
controls. This is a different beast than liability protection for content.

------
wiradikusuma
Anyone watched Westworld? The whole enterprise is destroyed (almost) by 2 low
level employees. It's either a complete blooper in the script or --after I
read this article-- reflective of the real world that I don't know about. Your
take?

------
nextlevelwizard
> implication that a hostile government might be able to cause even greater
> havoc.

it is stuff like this that make me question the whole article. like yes,
obviously this was no "hostile" government since they were just scamming for
some pocket change. but also how exactly would this hostile government create
havoc with twitter?

~~~
M2Ys4U
There are so many government officials on Twitter, and causing any number of
them to tweet something plausible but untrue could be a _big_ deal - from
moving markets to moving troops.

Just imagine if Donald Trump's account tweeted that Antifa should be shot on
sight. I'm certain people would die because of that.

Or, perhaps _slightly_ less plausibly, that Boris Johnson tweeted that he's
had enough and is abandoning negotiations with the EU. That would cause a
frantic reaction from the markets before any official statement could be put
out.

~~~
nextlevelwizard
If people are taking Tweets as actual government announcements then they have
too many screws loose. Dumb people do dumb shit, what else is new?

------
atum47
well, I worked on a software house that makes software for industry
automation. each user of the software has all their actions logged and time-
stamped. if you edit something, give a big discount, granted permission,
deleted something... it all goes into a different DB filled with just the
logs. why doesn't Twitter have something like this? am I missing something?

~~~
suizi
If you're banning thousands of people, deleting thousands of tweets and
updating thousands of people as routine (customer support), it might take time
for someone to review what you're doing.

------
flingo
"Only two people can launch a nuke, the president, and the engineer who
installed the system."

------
imvetri
Title corrected : More than 1k people at Twitter had ability to aid hack and
chose not to.

~~~
amf12
> Title corrected : More than 1k people at Twitter had ability to aid hack and
> chose not to.

This is a stupid way of looking at it. Similarly:

\- X number of people owned guns but they chose not to go do a mass shooting.

\- X number of cops could kill a black person, they chose not to.

While it's a good thing that majority of the people know right from wrong,
morality, etc, we still need to ensure one person can't do significant damage.

The fact that there are 1000s of individuals that could have hacked is not a
good thing.

------
OfficialMuffin
Interesting

------
sunilkumarc
On a different note, online presence is becoming very important and with
remote work culture gaining traction, having a good online presence has become
a must have asset.

I bought a course on building Twitter audience and been able to improve my
following significantly from past 2 months.

Twitter link: [https://twitter.com/sunilc_](https://twitter.com/sunilc_)

If you're looking to increase your social presence too, here's the course that
I found very useful:

[https://gumroad.com/a/238777459/PBkrO](https://gumroad.com/a/238777459/PBkrO)

~~~
accurateappL
Spam motivational quotes and hope people retweet and like?

