@jack’s been pwned.
All of Twitter went ablaze Wednesday afternoon as major crypto accounts started tweeting they had partnered with a phony site called “Crypto For Health” on a giveaway of 5,000 BTC.
It was a scam, but one that was able to reach the biggest accounts on Twitter, including that of former President Barack Obama, the most followed account in the world.
Security pros contacted by CoinDesk had a wide array of opinions on the breach, but they all agreed the fault did not lie with each hacked account’s owner. They said the breach was likely from either third-party apps plugged into people’s Twitter accounts or from within the social media giant itself.
“Whatever the root cause will end up being, this amount of total pwnage would say to me that this is something novel and mass exploitable, not something well known and targeted,” Erik Cabetas, managing partner at Include Security, told CoinDesk in an email.
(OTP stands for “one-time password,” a security method commonly used as part of 2FA, or “two-factor identification.”) The account @6 is for Adrian Lamo, a journalist with 163,000 followers, who has now put his account on private.
“There are endless OAuth integrations, the APIs that allow third-party services to access the platform, and some of the SMS features,” she wrote. “[Twitter has] done some work to improve authorization and authentication, but if you are a super-user or you have a team posting for you, it’s still extremely difficult to secure the service.”
Parham Eftekhari, of the Cybersecurity Collaborative, a forum for security pros, cautioned that all security professionals could do is speculate. The scale of the attack and Twitter’s frustrated response indicated the problem could be a deep one:
Inside the birdhouse
Many security-adjacent accounts are sharing rumors that the breach is actually from inside Twitter, which would suggest all kinds of data could be compromised.
Richard Ma, founder of smart-contract auditing firm Quantstamp, told CoinDesk his team believed the problem was at Twitter’s San Francisco HQ.
“Based on what we’ve gathered so far, this is an internal Twitter security breach. The hacker was able to breach Twitter and gain access to internal admin functionality,” he told CoinDesk.
"It is a 'silly' hack, but it's also important to look at why people are motivated to hack things. Some hackers like to watch the world burn – that's just how it is. It could be a campaign to make Twitter look silly or ill-prepared for the role it has in public discourse."
Eftekhari agreed, noting it’s important to remember we are in a U.S. presidential election year, and that Twitter is a de facto communications institution for the United States, which could be an appealing target to rival nation-states.
After all, he noted, the payout ($106,200 so far) was small.
Irwin said associates in the security community have already noticed the domains being used by the cybercriminals have been active since April. “That suggests this is a known issue or an older vulnerability that was not recently introduced,” she said.
Yonathan Klijnsma, a threat researcher at the cybersecurity company RiskIQ, said that while he can’t be sure, there is speculation a Twitter support member account was hijacked.
“While we do not know if this is the cause, it might explain how they hijacked so many accounts,” Klijnsma told CoinDesk in an email. “Twitter support is able to help users who are locked out of their account by (normally) verifying information and then helping them get back into their account. Gaining access to a support member’s account could lead to the massive and seemingly effortless hijacking we observed today.”
He said the scale of the ongoing scam through these Twitter accounts with massive followings seems to be the whole story.
“But RiskIQ has been able to track much more of the bad guys’ infrastructure used in their scam operations,” said Klijnsma. “We’ve identified around 400 domains so far that are all tied to these scams.”
Rosén emphasized to CoinDesk that he could only speculate, but noted the origin of the tweets has been “Twitter Web App” and that Twitter Support noted people might expect trouble with resets.
This suggested to Rosén that the “service used to send out password resets was breached somehow,” and that “some specific flow when resetting password made it possible to gain access to the web app.”
Which, he cautioned, might mean the attacker could do more than tweet, such as accessing direct messages (DMs). Dan Guido, of Trail of Bits, a security firm widely relied on in crypto, pointed CoinDesk to a thread he wrote on the incident on one of his firm’s secondary accounts. In that, he noted:
"Twitter has never been great at securing their own data. After getting their backend hacked in 2009 (very similar to today!), the FTC barred Twitter from making claims about their security for 20 years."
Quantstamp’s Ma said this event could cement a key belief of the crypto faithful.
“Overall, I think this reinforces many people’s preference for self-custody of data in the crypto community,” Ma said. “Many Twitter users are not aware of the full control they are providing when using a third-party platform with special privileges over their accounts.”