Remember those scam callers who pretend to be the bank’s manager, without even knowing which bank you’ve got an account in? They ask for your card details for some verification shit. Almost nobody gets tricked into that anymore. I don’t even think they’re effective. . At least that’s what Twitter believes, as of now. But you know what’s surprising though? The technique that was used in these scam calls is one of the many techniques that made the Twitter hack possible The hack has affected 130 accounts and stole $120,000 worth in BTC. Essentially, this hack wasn’t due to a software bug, but rather a human bug. Two days after the attack, the their interaction with two of guys behind the attack. I recommend reading it but here’s a summary: New York Times published The main guy behind the hack, known as Kirk, told the other two that he works at Twitter and demoed his ability to access Twitter’s internal support tool, which is available to only some Twitter employees.But the other two believe he wasn’t a Twitter employee because he was too willing to damage the company. We don’t yet know whether he was a Twitter employee or knew/targeted someone who was. But anyway, he could use Twitter’s internal tool that allowed him to take control of 130 Twitter accounts. And this raises two questions: One, can any other Twitter employee do this too? And two, And two, why did that person give his access to the attacker? Let’s answer the second one first. Why Did The Twitter Employee Give His Access? Remember the fraudulent bank call mentioned in the introduction? suggests the same kind of technique was used to trick the employee into giving away his access. Twitter’s investigation so far No, I don’t mean the hacker posing as CEO Jack Dorsey called an employee and asked for the access. (Twitter employees aren’t that dumb to not ask Dorsey what happened to his access. Pun-intended.) pun-intended. The fraud bank call scam is called phishing, where the crook tries to convince the target into giving away some confidential information by showing urgency. It is one of many Social Engineering Techniques. Social engineering techniques are techniques for psychological tricking of people to make them do certain actions or to give confidential information like passwords or PINs. And that’s probably what the attacker did—tricked an employee into giving away his access to the tool. So essentially, this hack wasn’t due to a software bug, but rather a human bug. Social Engineering is based on these 6 principles of human behaviour: : People tend to return a favour. Reciprocity : People are more likely to do something when they commit to it, orally or in writing. Commitment : People tend to do things others are doing. Proof : People tend to follow the authority on a topic. Authority : People are persuaded by others who they like, in appearance or personality. Liking : Scarcity generates demand. (“Limited Stock!”) Scarcity Based on these principles, they’re several methods of social engineering. We don’t yet know which technique(s) was used but here are some popular ones: : This is what we talked about at the introduction. Crooks email or call people, mostly in bulk, and pretend to be legitimate businesses like banks. They push users to provide sensitive information for “verification” purposes and warn of dire consequences if not provided. Phishing : This means creating a situation which is used as a pretext to make the target do something and reveal the information. It’s an elaborate lie and needs prior research and setup. A crook might pose as an authority figure and push the target to do something and eventually give away confidential information. Pretexting : Here the attacker figures out a website the target regularly visits and finds a way to inject a malicious code there. Thus when the target visits the site and clicks on some link, the code gets downloaded on his device. Water holing : The word literally means favour for a favour. An example case is when attackers call random office workers and pretend to be technical support. Then, if there’s an issue, they help the employee solve it while also installing malware in their device that gets the attacker access to his computer. Quid Pro Quo : It’s like a real-world Trojan horse. Say an attacker exchanges an infected storage drive or any device with one of the employees own pendrives. So the employee’s device gets infected when he uses the drive and the attacker can now access the device. Baiting You can find more . here What can be done to prevent it? What was done to prevent bank call frauds? People were educated. And that’s what Twitter’s doing. They’re rolling out some company-wide training to guard against social engineering tactics. But most importantly, employees shouldn’t have access to millions of people’s data in the first place. This brings us to the second question: Can Twitter Employees See Your Private Data? Yes. That’s what the attackers abused in this hack. They used Twitter’s very own internal support tool to gain access to 130 accounts. And that means . any Twitter employee who has this access can do this too The hackers gave NYTimes a screenshot of the tool too. Here’s it: Credits: NYTimes Looking at this tool, here’s what I guess the hackers did: They started with targeting lesser-known accounts so it doesn’t generate buzz initially. They opened the target’s account on the internal tool and changed the email address to another address, probably a temporary one. They logged into the account and selected forgot password to log in via email verification. Note: There may be more options on the tool. Because the screenshot looks incomplete. During the hack, the hackers: Saw personal details (email, phone numbers… Probably more) of 130 accounts Changed (not saw) password of 45 of them. Saw DMs of 36 accounts. Downloaded the complete Twitter data of 8 accounts though they were all non-verified accounts. And this all wouldn’t have been possible without the Twitter internal tool. Also, all Twitter employees who have this access can do the same. And Twitter anybody’s tweet that contained the image of this tool. It’s almost like denying its existence. brought down But this tool has so much potential that it’s not the first time someone misused this. It has been misused before. Once 2 Twitter employees to access personal data of some activists. Saudi Arabia paid A Twitter employee Trump’s account for a short while. once deactivated And not only Twitter, employees were found to be using their powers to stalk women on the platform. Facebook employees had a tool to spy users Snapchat In their heyday, too had the same issue. MySpace Getting back to Twitter, when Twitter to comment on what it has done to prevent anything like this from happening in the future, Twitter instead of directly replying gave a statement that says: TechCrunch asked “ … Our company limits access to sensitive account information to a limited group of trained and vetted employees. …” That’s personal data of over 300 million users. Nobody should have access to it. Not even Jack Dorsey. (Mark Zuckerberg would disagree here, though.) While all that privacy concerns hover over the micro-blogging platform, here’s one more: Even DMs aren’t end-to-end encrypted I mean c’mon even WhatsApp says it’s end-to-end encrypted. means nobody except the people in the conversation can read the messages, not even Twitter. (If you’re asking what’s end-to-end encryption, .) End-to-end encryption read this Two years back, CEO Jack Dorsey said the company “was working on end-to-end encrypted direct messages.” reportedly And we still don’t see it happening. the two things Twitters Employees have access, they shouldn’t have. Social Engineering Techniques used to trick the employee. Like the bank call scam. Hackers are now looking beyond software vulnerabilities to disrupt systems. Software bugs, at least, can be fixed with some code changes. But human bugs? Not so easily. So, is it right for Twitter or any social network to give access to data of millions of people into a few hands? In a world where data means power, data autocracy wouldn’t do any good. It’s time for us to ask why Twitter isn’t end-to-end encrypted. Why still a bunch of Twitter employee can see personal data of over 300 million users? It’s time for us to ask Twitter “What’s happening?!” Previously published here .

BUNCH

Facebook

Quid

Target

Techcrunch

Twitter

Tracking the Evolution of Emoji Skin Tones

Easiest Guide To Keep Your Zoom Meetings Safe From Zoombombing

Use Your Mac Like A Pro

Read My Stories

Too Long; Didn't Read

Reflecting on What Made the Twitter Hack Possible 

Reflecting on What Made the Twitter Hack Possible

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

15 Quick And Effective Tips To Make Zoom Meetings More Secure

What No One Told Me About Being a Product Manager at an Early Stage Startup

What Are Convolution Neural Networks? [ELI5]

Rules of Thumb for Software Engineering

10,331,579,614 Records Leaked in 2019 And Counting...

10 Ways to Future-Proof Your Business With Cloud

15 Quick And Effective Tips To Make Zoom Meetings More Secure

What No One Told Me About Being a Product Manager at an Early Stage Startup

What Are Convolution Neural Networks? [ELI5]

Rules of Thumb for Software Engineering

10,331,579,614 Records Leaked in 2019 And Counting...

10 Ways to Future-Proof Your Business With Cloud

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps