Reflecting on What Made the Twitter Hack Possible

Remember those scam callers who pretend to be the bank’s manager, without even knowing which bank you’ve got an account in? They ask for your card details for some verification shit.

Almost nobody gets tricked into that anymore. I don’t even think they’re effective. 

But you know what’s surprising though? The technique that was used in these scam calls is one of the many techniques that made the Twitter hack possible. At least that’s what Twitter believes, as of now.

The hack has affected 130 accounts and stole $120,000 worth in BTC.

Essentially, this hack wasn’t due to a software bug, but rather a human bug.

Two days after the attack, the New York Times published their interaction with two of guys behind the attack. I recommend reading it but here’s a summary:

The main guy behind the hack, known as Kirk, told the other two that he works at Twitter and demoed his ability to access Twitter’s internal support tool, which is available to only some Twitter employees.But the other two believe he wasn’t a Twitter employee because he was too willing to damage the company.

We don’t yet know whether he was a Twitter employee or knew/targeted someone who was.

But anyway, he could use Twitter’s internal tool that allowed him to take control of 130 Twitter accounts.

And this raises two questions:

• One, can any other Twitter employee do this too?
• And two, And two, why did that person give his access to the attacker?

Let’s answer the second one first.

Why Did The Twitter Employee Give His Access?

Remember the fraudulent bank call mentioned in the introduction? Twitter’s investigation so far suggests the same kind of technique was used to trick the employee into giving away his access.

No, I don’t mean the hacker posing as CEO Jack Dorsey called an employee and asked for the access.

(Twitter employees aren’t that dumb to not ask Dorsey what happened to his access. Pun-intended.)

pun-intended.

The fraud bank call scam is called phishing, where the crook tries to convince the target into giving away some confidential information by showing urgency. It is one of many Social Engineering Techniques.

Social engineering techniques are techniques for psychological tricking of people to make them do certain actions or to give confidential information like passwords or PINs.

And that’s probably what the attacker did—tricked an employee into giving away his access to the tool.

So essentially, this hack wasn’t due to a software bug, but rather a human bug.

Social Engineering is based on these 6 principles of human behaviour:

• Reciprocity: People tend to return a favour.
• Commitment: People are more likely to do something when they commit to it, orally or in writing.
• Proof: People tend to do things others are doing.
• Authority: People tend to follow the authority on a topic.
• Liking: People are persuaded by others who they like, in appearance or personality.
• Scarcity: Scarcity generates demand. (“Limited Stock!”)

Based on these principles, they’re several methods of social engineering. We don’t yet know which technique(s) was used but here are some popular ones:

• Phishing: This is what we talked about at the introduction. Crooks email or call people, mostly in bulk, and pretend to be legitimate businesses like banks. They push users to provide sensitive information for “verification” purposes and warn of dire consequences if not provided.
• Pretexting: This means creating a situation which is used as a pretext to make the target do something and reveal the information. It’s an elaborate lie and needs prior research and setup. A crook might pose as an authority figure and push the target to do something and eventually give away confidential information.
• Water holing: Here the attacker figures out a website the target regularly visits and finds a way to inject a malicious code there. Thus when the target visits the site and clicks on some link, the code gets downloaded on his device.
• Quid Pro Quo: The word literally means favour for a favour. An example case is when attackers call random office workers and pretend to be technical support. Then, if there’s an issue, they help the employee solve it while also installing malware in their device that gets the attacker access to his computer.
• Baiting: It’s like a real-world Trojan horse. Say an attacker exchanges an infected storage drive or any device with one of the employees own pendrives. So the employee’s device gets infected when he uses the drive and the attacker can now access the device.

You can find more here.

What can be done to prevent it?

What was done to prevent bank call frauds? People were educated.

And that’s what Twitter’s doing. They’re rolling out some company-wide training to guard against social engineering tactics. 

But most importantly, employees shouldn’t have access to millions of people’s data in the first place.

This brings us to the second question:

Can Twitter Employees See Your Private Data?

Yes. That’s what the attackers abused in this hack. They used Twitter’s very own internal support tool to gain access to 130 accounts. And that means any Twitter employee who has this access can do this too.

The hackers gave NYTimes a screenshot of the tool too. Here’s it:

Credits: NYTimes

Looking at this tool, here’s what I guess the hackers did:

1. They started with targeting lesser-known accounts so it doesn’t generate buzz initially.
2. They opened the target’s account on the internal tool and changed the email address to another address, probably a temporary one.
3. They logged into the account and selected forgot password to log in via email verification.

Note: There may be more options on the tool. Because the screenshot looks incomplete.

During the hack, the hackers:

• Saw personal details (email, phone numbers… Probably more) of 130 accounts
• Changed (not saw) password of 45 of them.
• Saw DMs of 36 accounts.
• Downloaded the complete Twitter data of 8 accounts though they were all non-verified accounts.

And this all wouldn’t have been possible without the Twitter internal tool.

Also, all Twitter employees who have this access can do the same.

And Twitter brought down anybody’s tweet that contained the image of this tool. It’s almost like denying its existence.

But this tool has so much potential that it’s not the first time someone misused this.

• It has been misused before.
• Once Saudi Arabia paid 2 Twitter employees to access personal data of some activists.
• A Twitter employee once deactivated Trump’s account for a short while.

And not only Twitter,

• Facebook employees were found to be using their powers to stalk women on the platform.
• Snapchat employees had a tool to spy users
• In their heyday, MySpace too had the same issue.

Getting back to Twitter, when TechCrunch asked Twitter to comment on what it has done to prevent anything like this from happening in the future, Twitter instead of directly replying gave a statement that says:

“ … Our company limits access to sensitive account information to a limited group of trained and vetted employees. …”

That’s personal data of over 300 million users. Nobody should have access to it. Not even Jack Dorsey. (Mark Zuckerberg would disagree here, though.)

While all that privacy concerns hover over the micro-blogging platform, here’s one more:

Even DMs aren’t end-to-end encrypted

I mean c’mon even WhatsApp says it’s end-to-end encrypted. 

End-to-end encryption means nobody except the people in the conversation can read the messages, not even Twitter. (If you’re asking what’s end-to-end encryption, read this.)

Two years back, CEO Jack Dorsey reportedly said the company “was working on end-to-end encrypted direct messages.”

And we still don’t see it happening.

the two things 

• Twitters Employees have access, they shouldn’t have.
• Social Engineering Techniques used to trick the employee. Like the bank call scam.

Hackers are now looking beyond software vulnerabilities to disrupt systems. Software bugs, at least, can be fixed with some code changes. But human bugs? Not so easily. 

So, is it right for Twitter or any social network to give access to data of millions of people into a few hands?

In a world where data means power, data autocracy wouldn’t do any good.

It’s time for us to ask why Twitter isn’t end-to-end encrypted. Why still a bunch of Twitter employee can see personal data of over 300 million users?

It’s time for us to ask Twitter “What’s happening?!”

Previously published here.