You might think Twitter is all fun and games. You might even be forgiven for thinking it’s funny that the recent major security breach was “masterminded” by a 17 year old who was trolling for bitcoin by impersonating celebrities, Billionaires, Politicians, you know, famous people.
You might think that because the hack largely involved social engineering, access to a support org’s slack and the pinned credentials to access admin tools allowing for user account reset overrides that this was all much ado about nothing.
Beyond the fact that the twitter platform is often used by the most powerful man in the world to make official pronouncements of state policy (whether or not that should happen.) Beyond the fact that of course people should not use Twitter DMs as a private method of communication – and only tens of those, and only a couple of politicians were known to have been compromised in this breach. Beyond the fact that these attacks were quickly revealed and the culprits caught by the FBI we have several startling implications.
-It’s probably worse than we know: f its so easy a kid can do it – why would we think nation states and other Advanced Persistent Threats haven’t long ago breached the same systems more quietly (again-cause they already were discovered once)? For persistent surveillance and less discoverable purposes.
-Lax organizational measures: Why is there a single credential that enables a support team member to reset the access credentials of virtually any user of Twitter? Why is that credential pinned in a slack channel? Why can a kid social engineer his way into that slack channel?
-Lax technical measures: Why are DMs not end-to-end encrypted so that Twitter staff themselves are unable to understand the contents? Why are both/all parties to a DM not notified if a user downloads the logs of the DMs?
These are the kinds of unforced errors we are building to protect people against. With individual control of their own personal data, and without any “god-level” access controls that can access any arbitrary user account without them knowing access occurred. Imagine a world where implementing such strong individual ownership, privacy and security was as easy plugging a code snippet into your app and implementing some controls through an API! Thats the world we are building.