Originally published at: https://boingboing.net/2020/07/18/how-the-twitter-hacker-got-in.html
…
My jaw is literally hanging open. I know that distributing credentials is a thorny problem, but holy christ.
But wait, this means there is a single login for a lynch pin system like that? The largest web app I’ve ever worked on had perhaps 100k users and a few dozen admins at various levels. Yet even that had a robust permissions system that prevented even high level admin users from accessing what they had no business accessing.
How are they auditing access to that system, does it print their machine’s reported NETBIOS Name on a Post-It note in the server room?
Kids, still living with their parents, hacked the accounts of the most powerful people in the world. Twitter’s “security” is a hilarious joke. Imagine if foreign agents got in and tweeted something from Trump’s account that he had just launched nukes at China.
Nice to know the “verified” accounts are even less secure than the regular accounts. It’s not a bug; it’s a feature!
Everybody reveres these tech moguls, but they just got lucky and their services got popular. They aren’t that good at security, public policy, or much else.
Yep, it seems the biggest issue is the issue of persistence. I admit to sharing a sensitive password on Telegram, but also going back to delete the password once the other party got it. After all, I am just the front end developer, not the dev ops guy, so I try not to hold on to these things.
The other issue is that of cascading rights. It could be that the Slack channel password gave the hacker access to a Confluence page where another password was saved, and this gave access to the really sensitive passwords via SSH. The full autopsy is going to be interesting.
My personal bet is on use of their in-house tool, syslogt; which is like syslogd but knows to divide the log into 280 character chunks. Their security people just need to monitor #privilegedaccesscontrolevents and there’s your SIEM!
eta: He’s pissed off people with money. He’d better worry if they hire a professional to give him a wedgy.
That got an actual LOL in meatspace.
In those cases I’ve split the credentials across different communication channels. Which leads to people thinking you’re a paranoid loon, but whatever.
My gods, I really hope so!
then there’s this:
Yes, but that Post-It note printer is underneath an old keyboard.
Mistakes were made. Who among us has never posted an admin password into slack? Anyone? Anyone? Bueller?
Twitter - not quite as bad as facebook.
not much to brag about
Not I.
Because my last company did not use Slack, had the same admin password for 80% of servers. No need to share it.
Don’t you feel silly now from my counter example!
/s
(I am being silly but it is horrifyingly true about my last company. I had a BA wake me up at 1am once asking for credentials for a QA machine with some data on it. I told him to try “The Password” and he said thank you that worked!)
I know almost nothing about web security, but the number of distinct levels of insane issues here have even me shaking my head. I mean: a publicly listed login, for the entire system, that allows the user to post from people’s accounts… (WTF?! Delete tweets, ok, post administrative notices/warnings to an account, sure, but tweet from the accounts? Insane.)
It’s like no one realized they’re no longer an experimental web app for microblogging SXSW, but a multi-billion dollar company.
Oh, Jesus. Yet another level of insanity.
There’s too much hyperbole over the hacking of Twitter. So what if some powerful people have accounts on it? Twitter is just a place where people vent or rave. Twitter is not like a bank website or a medical history website.
nobody’s going to mention that this Bitcoin-doubling scam originated with Eve online’s gaming community? Kirk undoubtedly knew it from there (it has since been used on YouTube and another big game, fortnight I think it was.)
getting money from selling screennames at OGusers was just money tricking in, and his time before getting shut down was presumably limited (although I think it’s safe to say he got a helluva lot longer than he thought due to Twitter’s ineptitude.) the first celebrity account he used in the scam was Elon Musk, who is known to frequently reward his Twitter followers, and whose followers include many Bitcoin users. from there it was just copypasting it to other large followings that he assumed were either Bitcoin users, gullible, or both.
interestingly, I don’t know any of this on my own. I was looking for free tech support that afternoon and the hot topic on the forum I checked was this. the users there had already figured out everything (other than names) in the Times article in real-time, including the OGusers connection and numerous screenshots of the twitter back-end dashboard. they were all incredulous that suckers were getting taken by not only a stupid scam, but one that was (to them) old news.
wanna know what else I learned there that wasn’t mentioned neither here nor in the Times?
the reason Trump wasn’t targeted is because his account was compromised earlier by a former twitter employee and therefore has extra security. also mentioned was that he wouldn’t make a good target since his followers probably don’t use a lot of Bitcoin not only due to demographics, but Trump apparently has spoken against Bitcoin, so his following should have even lower Bitcoin users than the demographics would ordinarily be.
Yesterday, in the first thread on boingboing, everyone seemed to agree that since Trump wasn’t targeted, it was done on his behalf, probably by Russia.
it was unusual for me, a tech-blind person who can usually rely on this userbase to explain stuff to me, to not only see incorrect assumptions, but also through dumb luck to have the real scoop.
and also where the president of the united states of america announces policy decisions.
you could probably start a war with the right twitter accounts
And the password is written with an Infocom InvisiClues pen.
or make a bunch of money on the stock market: