The recent Twitter account takeovers that are all over the news right now are yet another entry in the long list of hacks, exploits and security problems that have hit major social media platforms over the years, but this particular attack was different and really piqued my interest. There’s a few reasons for that.
First of all, the number of incredibly popular accounts that were hit (on one of the biggest social media platforms in the world) is absolutely mind-boggling. These sort of takeover attacks have happened plenty of times before, but usually on a far smaller, much more targeted scale (such as the SIM swap attack that hit Twitter CEO Jack Dorsey in 2019 for example). In yesterday’s case, these attackers managed to take over the accounts of some of the biggest companies and some of the richest people in the world on a scale I’ve personally not seen before.
This brings me neatly onto my next point: the actual impact (compared to the potential impact) was far far lower than it could have been. The ability to access almost any account on Twitter could have been used for some serious subterfuge either on a longer-term scale (quietly reading and sending direct messages, selling off access to specific accounts to other malicious actors) or by going all out on a disinformation campaign that would be very hard to recover from. Instead, these attackers fired out a Bitcoin scam that was shut down within a few minutes (although most likely racking up a few Bitcoin in that time) and earned them some serious attention from federal authorities. Hey, maybe they only had a small window to perform this attack, maybe they had other limitations that we don’t know about yet, but if anything an attack being this public and so obviously scammy was one of the best outcomes we could have hoped for given the circumstances.
Next was the approach. This attack used one of the most fruitful yet often overlooked techniques: targeting the employees. Instead of aiming to exploit devices or bypass multifactor authentication, it appears that they managed to get access to an admin console that gave them the metaphorical keys to the castle. Whether this occurred using social engineering, bribery or somehow getting access to employee credentials remains to be seen, but the attackers appear to have used normally legitimate business processes to pull this off.
This means that there was no feasible way for the account owners to prevent this attack; they didn’t get exploited because of an old email connected to their account or because they used a weak password, they were taken over because the attackers got access to a system that could bypass it all.
Which makes me question the lack of oversight that appears to have been in place to prevent something like this. Safeguards such as preventing a single user from performing too many high-risk actions in a short time (e.g. changing email, removing multifactor authentication), or adding additional requirements and signoffs before changes can be made to incredibly large/popular accounts are not only feasible, not having them seems negligent in hindsight. There are many potential safeguards I can think of that either weren’t in place, or were in place and were bypassed or otherwise rendered ineffective.
In the end, I’ve followed a lot of breaches and attacks over the years but this one stands out to me as an excellent case study: on the importance of minimising the powers that any one employee has, on the fact that attacks may originate internally using your own tools and processes maliciously, on the increasing effectiveness of targeting social media platforms for potentially huge payoffs. Hopefully after this companies will take a real look at their processes and ask “could this happen to us?”.
It probably could.
Matthew Champion 