I don't think it's an exaggeration to say that Twitter should have been completely shut down temporarily in response to this, or at least should disable the ability to tweet until they figure out...
I don't think it's an exaggeration to say that Twitter should have been completely shut down temporarily in response to this, or at least should disable the ability to tweet until they figure out what's going on.
These are some massive account compromises with no obvious common link, and it's honestly really suspicious that someone decided to burn this level of access on a (relatively) obvious cryptocurrency scam. They'll probably make a few hundred thousand dollars from this, but access to prominent Twitter accounts (especially if it included the ability to read messages and other similar data) could have been worth millions or even billions.
If they had compromised Trump's account—which doesn't seem out of the realm of possibility with some of the other ones they did get—they could have caused massive global chaos by tweeting that the US was now at war with China or something similar.
Yeah, "RuneScape" is currently trending on Twitter because of so many people comparing this to the obvious scams people run in that game (and those are aimed at literal children for small amounts...
Yeah, "RuneScape" is currently trending on Twitter because of so many people comparing this to the obvious scams people run in that game (and those are aimed at literal children for small amounts of fake money).
It's really bizarre, I hope we get more info about this story.
Luckily we may be dealing with a gray hat situation here, where someone decided to expose a vulnerability in a way that both made some money and highlighted a serious problem. It also wouldn't...
Luckily we may be dealing with a gray hat situation here, where someone decided to expose a vulnerability in a way that both made some money and highlighted a serious problem.
It also wouldn't surprise me if we hear about this money being donated at some point down the road.
If you're smart enough to pull off a hack like this, you're smart enough to know how to do some serious damage with it. There was a conscious choice here not to.
If this were true though, I would've expected the highlighting of the situation to be the primary message that was broadcast, instead of just a run of the mill bitcoin scam on steroids. Whatever...
If this were true though, I would've expected the highlighting of the situation to be the primary message that was broadcast, instead of just a run of the mill bitcoin scam on steroids. Whatever is happening, it's fascinating to watch, and shows just how vulnerable even large platforms with thousands of engineers looking over processes with a fine-tooth comb can miss things.
I wonder if this happened through sms spoofing. Twitter never shutdown their 40404 number... so if you can spoof someones cell phone number you can tweet from their account. EDIT: Update, they...
I wonder if this happened through sms spoofing. Twitter never shutdown their 40404 number... so if you can spoof someones cell phone number you can tweet from their account.
EDIT: Update, they shutdown their SMS features, interesting. I could be wrong, but I wonder if someone else had the same idea that I did.
It's plausible, but not confirmed, that whoever this is got access to an internal Twitter tool using for managing account state and privileges—a systems-level attack completely bypassing...
It's plausible, but not confirmed, that whoever this is got access to an internal Twitter tool using for managing account state and privileges—a systems-level attack completely bypassing individual accounts and their own security protections like MFA. If so, that's a huge security breach, which alone has its own implications. Did someone at Twitter enable this to occur? Who knows.
Oof, that's a significant breach if that's the case. Why is such a tool accessible to the internet? If such a tool like this is going to exist it should only be accessible on the local network,...
Oof, that's a significant breach if that's the case. Why is such a tool accessible to the internet?
If such a tool like this is going to exist it should only be accessible on the local network, unless that's already the case and someone gained access to Twitters LAN but I find that highly unlikely.
I think it's definitely possible that it was restricted like that and then they relaxed it because of everyone needing to work from home. Probably along with someone saying, "We really shouldn't...
I think it's definitely possible that it was restricted like that and then they relaxed it because of everyone needing to work from home. Probably along with someone saying, "We really shouldn't be doing this, but I guess it's necessary for now. We'll have to improve this soon."
Tools like this are inevitable in any large system - they are epic timesavers, and time is money. It'd take an iron will to avoid ever making these sorts of administrative actions easy. The safe...
Tools like this are inevitable in any large system - they are epic timesavers, and time is money. It'd take an iron will to avoid ever making these sorts of administrative actions easy. The safe bet is to lock it to one and only one machine and put a camera on that sucker.
All it takes is one bad firewall rule, one lazy user not following procedure, one newbie installing a wifi access point wrong, one manager who wants to save time, cut corners, or pull rank, one skilled social engineer, one disgruntled employee, one bad certificate, one overlooked account, one unchanged default setting, or insufficient oversight of security.
Security is the hardest task there is within the information technology sphere. Good security is a gargantuan pain in the ass. It's tedious, it's inconvenient, it's expensive, it's a permanently ongoing problem and a constant resource drain.
It's been my experience that most businesses aren't willing to meet those expenses all the time.
This does raise the questions... How long has this risk existed? Has it been exploited before, without anyone noticing? What steps will be taken to prevent it from ever happening again?
This does raise the questions...
How long has this risk existed?
Has it been exploited before, without anyone noticing?
What steps will be taken to prevent it from ever happening again?
The obvious conclusion seems pretty, ehem, obvious: whoever found the vulnerability was neither smart nor well-versed in fraud or confidence scamming. We'll see if Twitter publishes a postmortem....
The obvious conclusion seems pretty, ehem, obvious: whoever found the vulnerability was neither smart nor well-versed in fraud or confidence scamming.
We'll see if Twitter publishes a postmortem. I suspect management will engage in panicky scapegoating that will make it unlikely, unfortunately. I'm sure we'll find out what happened eventually when whatever law enforcement agencies get involved publish their findings, but that will take a long time.
Speaking entirely hypothetically you'd want someone from another country managing the tweets. At the very least you'd want to use a laptop running tails from a public wireless AP.
Speaking entirely hypothetically you'd want someone from another country managing the tweets. At the very least you'd want to use a laptop running tails from a public wireless AP.
Maybe they want to negotiate a bug bounty with Twitter and this is how they're exposing it? I imagine an exploit this big could be worth tens of millions of dollars if its obscure enough.
Maybe they want to negotiate a bug bounty with Twitter and this is how they're exposing it? I imagine an exploit this big could be worth tens of millions of dollars if its obscure enough.
I think you're right, however as others have pointed out, the damage seems very out of proportion to the severity of the security breach involved. It's like being gifted enough uranium to make a...
I don't know if we should read anything in to this, but it seems to me that even for such a Bitcoin scam, Trump's account would be far more high-profile (and more effective, considering the gullibility of some of his supporters) than Biden's or Obama's.
I think you're right, however as others have pointed out, the damage seems very out of proportion to the severity of the security breach involved. It's like being gifted enough uranium to make a nuke, then instead using it to make some glow-in-the-dark glassware and ship it to famous people. It seems like an attention grab rather than a truly malicious attack.
With that in mind, doing this to Trump would be to invite the irrational anger of Trump. Assuming that the breach has a specific goal in mind, pissing off a bunch of companies and specific famous people will ellicit a certain level of response that can be anticipated to an extent. Pissing off an irrational President with an ego the size of the moon and as fragile as sugar glass is a waaay riskier and unpredictable proposition.
That's an interesting point, it does seem like a relatively bad scheme considering the access they had. That being said, I'm shocked it's made so much already (over $100k USD)—I would've thought...
That's an interesting point, it does seem like a relatively bad scheme considering the access they had. That being said, I'm shocked it's made so much already (over $100k USD)—I would've thought it would make....nothing.
I wish the compromised accounts had linked to different BTC addresses so that we could see which accounts were the most effective at scamming their followers.
If it weren't an across-the-board hack, I'd find it weirdly believable that Elon Musk would choose to give away a bunch of real money in something disguised as the world's most obvious scam.
I wish the compromised accounts had linked to different BTC addresses so that we could see which accounts were the most effective at scamming their followers.
If it weren't an across-the-board hack, I'd find it weirdly believable that Elon Musk would choose to give away a bunch of real money in something disguised as the world's most obvious scam.
It looks like they're doing something, at least: lots of discussion on Twitter about all/most verified accounts (the ones with the blue checkmark) being blocked from tweeting. @stuck_in_the_matrix...
It looks like they're doing something, at least: lots of discussion on Twitter about all/most verified accounts (the ones with the blue checkmark) being blocked from tweeting.
Damn, those are some big names! Looks like the BTC walllet has received about 5.8BTC so far [1] [2] edit: Seems to have accumulated a little more than 12BTC now
Elon Musk ... Bill gates ...
the accounts of Apple, Uber, Amazon CEO Jeff Bezos, Democratic presidential candidate Joe Biden, hip-hop mogul Kanye West, and former New York City mayor and billionaire Mike Bloomberg, among others, have also been compromised and are promoting the scam.
Damn, those are some big names!
Looks like the BTC walllet has received about 5.8BTC so far [1][2]
edit: Seems to have accumulated a little more than 12BTC now
For those that don't follow the usable currency conversion rate, at present it is 12.56503500 BTC making it $115,946.25 USD since 2020-07-15 15:20. Edit: Looks like the final total is $118,430.29 USD.
For those that don't follow the usable currency conversion rate, at present it is 12.56503500 BTC making it $115,946.25 USD since 2020-07-15 15:20.
Edit: Looks like the final total is $118,430.29 USD.
So this is what it took for Twitter to finally block Trump from tweeting? 😆 Honestly though, this is a wild ride. I can't wait to see the post-mortem on how this was executed and what service was...
The company also took the unprecedented measure of preventing verified accounts from tweeting at all starting sometime around 6PM ET
So this is what it took for Twitter to finally block Trump from tweeting? 😆
Honestly though, this is a wild ride. I can't wait to see the post-mortem on how this was executed and what service was used to break Twitter's security model, whether it was SMS, 2FA, someone internal to Twitter, etc.
The_Gibson on Mastodon (an infosec dude I follow who doesn't seem to share misinformation too often) apparently has it on good authority that it was an internal user with access to the control...
The_Gibson on Mastodon (an infosec dude I follow who doesn't seem to share misinformation too often) apparently has it on good authority that it was an internal user with access to the control panel for twitter who didn't have 2FA enabled.
Coindesk article, which seems to include some more/different accounts than The Verge one: Hackers Take Over Apple, Uber, Prominent Crypto Twitter Accounts in Simultaneous Attack
One possible explanation: https://mobile.twitter.com/thezedwards/status/1283545436041572355 There's been some exploits coming out the past few weeks around Microsoft Azure subdomains. A twitter...
There's been some exploits coming out the past few weeks around Microsoft Azure subdomains. A twitter subdomain got an updated SSL cert yesterday that points to Azure...
As noted in this earlier comment here, the attackers most probably gained access to an internal Twitter tool. Sometimes, it is really tempting to create a tool available to “those who know the...
Sometimes, it is really tempting to create a tool available to “those who know the link” with which one could perform admin tasks without the “fuss” of authenticating, using a verified/vetted device, etc. Just as some other corporations suffered leaks of sensitive data as the data were stored in unencrypted files on publicly accessible hostings—it was just necessary to know the link.
I don't think it's an exaggeration to say that Twitter should have been completely shut down temporarily in response to this, or at least should disable the ability to tweet until they figure out what's going on.
These are some massive account compromises with no obvious common link, and it's honestly really suspicious that someone decided to burn this level of access on a (relatively) obvious cryptocurrency scam. They'll probably make a few hundred thousand dollars from this, but access to prominent Twitter accounts (especially if it included the ability to read messages and other similar data) could have been worth millions or even billions.
If they had compromised Trump's account—which doesn't seem out of the realm of possibility with some of the other ones they did get—they could have caused massive global chaos by tweeting that the US was now at war with China or something similar.
Yeah, "RuneScape" is currently trending on Twitter because of so many people comparing this to the obvious scams people run in that game (and those are aimed at literal children for small amounts of fake money).
It's really bizarre, I hope we get more info about this story.
Luckily we may be dealing with a gray hat situation here, where someone decided to expose a vulnerability in a way that both made some money and highlighted a serious problem.
It also wouldn't surprise me if we hear about this money being donated at some point down the road.
If you're smart enough to pull off a hack like this, you're smart enough to know how to do some serious damage with it. There was a conscious choice here not to.
If this were true though, I would've expected the highlighting of the situation to be the primary message that was broadcast, instead of just a run of the mill bitcoin scam on steroids. Whatever is happening, it's fascinating to watch, and shows just how vulnerable even large platforms with thousands of engineers looking over processes with a fine-tooth comb can miss things.
I wonder if this happened through sms spoofing. Twitter never shutdown their 40404 number... so if you can spoof someones cell phone number you can tweet from their account.
EDIT: Update, they shutdown their SMS features, interesting. I could be wrong, but I wonder if someone else had the same idea that I did.
It's plausible, but not confirmed, that whoever this is got access to an internal Twitter tool using for managing account state and privileges—a systems-level attack completely bypassing individual accounts and their own security protections like MFA. If so, that's a huge security breach, which alone has its own implications. Did someone at Twitter enable this to occur? Who knows.
Oof, that's a significant breach if that's the case. Why is such a tool accessible to the internet?
If such a tool like this is going to exist it should only be accessible on the local network, unless that's already the case and someone gained access to Twitters LAN but I find that highly unlikely.
I think it's definitely possible that it was restricted like that and then they relaxed it because of everyone needing to work from home. Probably along with someone saying, "We really shouldn't be doing this, but I guess it's necessary for now. We'll have to improve this soon."
I'd take that bet. It's exactly the kind of /shrug situation that provides the excuse to sidestep good practice.
Tools like this are inevitable in any large system - they are epic timesavers, and time is money. It'd take an iron will to avoid ever making these sorts of administrative actions easy. The safe bet is to lock it to one and only one machine and put a camera on that sucker.
All it takes is one bad firewall rule, one lazy user not following procedure, one newbie installing a wifi access point wrong, one manager who wants to save time, cut corners, or pull rank, one skilled social engineer, one disgruntled employee, one bad certificate, one overlooked account, one unchanged default setting, or insufficient oversight of security.
Security is the hardest task there is within the information technology sphere. Good security is a gargantuan pain in the ass. It's tedious, it's inconvenient, it's expensive, it's a permanently ongoing problem and a constant resource drain.
It's been my experience that most businesses aren't willing to meet those expenses all the time.
This does raise the questions...
The obvious conclusion seems pretty, ehem, obvious: whoever found the vulnerability was neither smart nor well-versed in fraud or confidence scamming.
We'll see if Twitter publishes a postmortem. I suspect management will engage in panicky scapegoating that will make it unlikely, unfortunately. I'm sure we'll find out what happened eventually when whatever law enforcement agencies get involved publish their findings, but that will take a long time.
As soon as I saw this I was like "Shit I used to do this in Runescape a decade ago"
Then you'd have to deal with an SEC investigation. More money, more risk. This is easy and low risk.
Speaking entirely hypothetically you'd want someone from another country managing the tweets. At the very least you'd want to use a laptop running tails from a public wireless AP.
Maybe they want to negotiate a bug bounty with Twitter and this is how they're exposing it? I imagine an exploit this big could be worth tens of millions of dollars if its obscure enough.
I think you're right, however as others have pointed out, the damage seems very out of proportion to the severity of the security breach involved. It's like being gifted enough uranium to make a nuke, then instead using it to make some glow-in-the-dark glassware and ship it to famous people. It seems like an attention grab rather than a truly malicious attack.
With that in mind, doing this to Trump would be to invite the irrational anger of Trump. Assuming that the breach has a specific goal in mind, pissing off a bunch of companies and specific famous people will ellicit a certain level of response that can be anticipated to an extent. Pissing off an irrational President with an ego the size of the moon and as fragile as sugar glass is a waaay riskier and unpredictable proposition.
That's an interesting point, it does seem like a relatively bad scheme considering the access they had. That being said, I'm shocked it's made so much already (over $100k USD)—I would've thought it would make....nothing.
I wish the compromised accounts had linked to different BTC addresses so that we could see which accounts were the most effective at scamming their followers.
If it weren't an across-the-board hack, I'd find it weirdly believable that Elon Musk would choose to give away a bunch of real money in something disguised as the world's most obvious scam.
It looks like they're doing something, at least: lots of discussion on Twitter about all/most verified accounts (the ones with the blue checkmark) being blocked from tweeting.
@stuck_in_the_matrix (who does a lot of work with reddit/Twitter data) just tweeted this graph showing how much the volume of tweets from verified accounts dropped: https://twitter.com/jasonbaumgartne/status/1283533173704531970
Damn, those are some big names!
Looks like the BTC walllet has received about 5.8BTC so far [1] [2]
edit: Seems to have accumulated a little more than 12BTC now
For those that don't follow the usable currency conversion rate, at present it is 12.56503500 BTC making it $115,946.25 USD since 2020-07-15 15:20.
Edit: Looks like the final total is $118,430.29 USD.
That's the scam BTC address right? It's showing up as a link back to this topic.
Sorry, wanted to link to the bitref page for that BTC address.
Fixed the link now!
Also, looks like there has been 12 BTC in there now. Damn!
So this is what it took for Twitter to finally block Trump from tweeting? 😆
Honestly though, this is a wild ride. I can't wait to see the post-mortem on how this was executed and what service was used to break Twitter's security model, whether it was SMS, 2FA, someone internal to Twitter, etc.
The_Gibson on Mastodon (an infosec dude I follow who doesn't seem to share misinformation too often) apparently has it on good authority that it was an internal user with access to the control panel for twitter who didn't have 2FA enabled.
Link
Coindesk article, which seems to include some more/different accounts than The Verge one: Hackers Take Over Apple, Uber, Prominent Crypto Twitter Accounts in Simultaneous Attack
One possible explanation: https://mobile.twitter.com/thezedwards/status/1283545436041572355
There's been some exploits coming out the past few weeks around Microsoft Azure subdomains. A twitter subdomain got an updated SSL cert yesterday that points to Azure...
As noted in this earlier comment here, the attackers most probably gained access to an internal Twitter tool.
Sometimes, it is really tempting to create a tool available to “those who know the link” with which one could perform admin tasks without the “fuss” of authenticating, using a verified/vetted device, etc. Just as some other corporations suffered leaks of sensitive data as the data were stored in unencrypted files on publicly accessible hostings—it was just necessary to know the link.
Security via obscurity is rarely a good idea.