All: don't miss that there are multiple pages of comments. The top few subthreads have become so large that they fill out the first page entirely. You have to click 'More' at the bottom to see the rest, including a lot of the newest posts. Or use these links:
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.
It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.
I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.
Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.
The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.
I was helping out a friend to make a presentation/training on IT Sec, and while I was searching for some fancy sim swap rigs photos, I saw this image [1] that lead me to this article [2]: "Detectives smash illegal SIM swap command centre in Ruiru"
and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."
It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.
There were no Sim-Swaps, at least not from the Student. Later it was revealed that he simply bought the Data & published it. The Hacking did somebody else.
That doesn't make much sense. Why would a student, presumably with little money, buy something that seems likely to command a pretty high price, that he has no use for other than to post anonymously on the internet?
I don't know him, so all i can is guess. All I know is what the News in Germany reported. According to them he just acquired the Data he published. The reasoning behind it is unknown to me, if there was any. In the Media Coverage he doesn't really appeared that smart. Maybe he did it just to brag about it, or he was hoping to extort the people and wanted to prove that he has the material, or it was political because the most victims of him were from the left.
But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?
If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.
Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.
I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.
I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers.
I reported and got a free t-shirt :)
Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"
Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.
It is fairly well known that certain large companies are really stingy.
I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.
On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.
Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.
There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.
The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.
Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.
> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access
It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a
'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.
Maybe if it was the first time the scam appeared, but this is old hat now. This was possibly thrown together quickly to make the most of an explot before the API changed. Prior to this there is no reason to assume they were not very careful with access and this was not the main money making part of the job.
> Why not just go for 100k USD bug bounty, completely legal and with fame?
Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.
Helping them out with a security report might be the last thing on their mind.
True, though I’d take amplified polarization any day over what Facebook and YouTube have done for years steering vulnerable people to conspiracy content.
I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
Maybe Trump was protected, his tweets can certainly move markets. And while it's possible to track investments in smaller stocks, someone buying futures or ETFs on large indices to profit from that would likely be able to stay anonymous. There are way too many trades in S&P500 on a given day to find the one that sticks out.
Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts?
And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.
I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.
You're probably getting downvoted because of the tone you used, but I think there's a good point hidden underneath.
Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?
I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.
That was the point really. Was trying to post objectively, tbh. Didn't realise it might be seen as snarky, or anything of the like. I really did wonder what it might mean, if Trump's Twitter account was subject to extra protection.
If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.
Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.
That page looks nothing like the kind of security measures you're talking about. It's for people who care about good opsec, who carry around hardware keys, and think 2FA isn't just a good idea, it's a necessity. But what you really need is someone to stop the takeover of high-profile accounts run by people who pick the worst possible passwords: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west...
Right, good point. I'm relying on my memory here, but when the advanced protection program was first launched, I recall that one of the benefits of it for journalists and high-risk individuals was that changing recovery options (email address, phone number) would have always required a manual review and a confirmation round by someone at Google.
I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.
Lots of little transactions, too. Easy to hide in the noise, at least at first, but when you start throwing out tons and tons of small transactions they can start with the pattern recognition.
Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.
Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.
Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
> Why do employees even have access to tools that allow them to take over accounts?
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.
If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.
The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.
I used to have a Sidekick, I could type out texts so fast with that thing. Weren't there a few big celebrities who had their Sidekicks hacked back then?
TWTR is a largeish company. I have no evidence but presume it is overwhelmingly likely that their scale a) makes getting inside the head of every employee is impossible and b) fosters the right conditions for a healthy number of little agenda-ized splinter cells with various passionate motivations and whatnot.
Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)
Yes, it was Twitter, and and the spies were working on behalf of Saudi Arabia: <a href=“https://www.washingtonpost.com/national-security/former-twit... Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics</a>
It was twitter. But that's largely moot -- there are almost certainly spy-espionage types in a lot of large tech companies. Mostly for siphoning off tech secrets, but I'm sure having someone with root access to some $SYSTEM is useful for political purposes too.
If I were a state actor, I would compromise the accounts of personalities that POTUS follows towards the end of Hannity on a day meaningful to my state.
Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.
Are you really asking that? Trump announces most of his policies live on twitter, can easily announce something that would have a huge influence on the stock market. Multiple examples of companies, Elon Musk, etc doing major announcements on twitter.
I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.
I believe you are right, a rogue Twitter employee had previously[1] deleted Trump's account. So there must have been some special protection to prevent it from happening again.
Agreed, it could be as simple as someone at Twitter calling someone in the White House every time someone logs into the account. (The White House has a ton of staff, I met some of their IT people at a conference back in the day.)
Get admin access from unlocked phones, make a bitcoin wallet, use admin access to send tweets with double-your-bitcoin tweet. Start thinking up accounts you think would work well for it and start going through them one by one.
I’m guessing DMs were the real loot. The public display with the BTC diversion validates any DMs that were stolen. Otherwise blackmail targets could deny them.
They potentially had access to any account they wanted. You don't know that they weren't snarfing DMs on interesting accounts while having the celeb accounts panhandle for bitcoin after.
You'd be surprised. Some celebrities might engage in salacious activities via DM but even the most boring corporation can have lots of customer information in support chats.
Or they were but it was kept secret. Twitter hasn't published a list, we only know of the BTC tweets. Maybe they actually were after other accounts' DMs and the tweets are just diversion to make it seem like an undirected attack.
Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.
Except that is all the evidence we have to go on for this conversation. Verified fake tweets have been sent from prominent democrats, and not from any prominent republicans.
Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.
They needed to reset credentials so this could've never been a stealth attack. By making it public, any later leak of DMs is much more likely to be accepted as authentic. Without that, most people would've doubted the authenticity of leaked material.
Precisely. And who's to say which leaked DMs are real and which ones are faked? If you're interested in this kind of stuff, I recommend the book Active Measures.
Perhaps it is a form of proof that they actually have access to the accounts and thus the DMs. Just posting claimed DMs that can be deleted and denied has a lower probability of being believed.
Interesting theory, but then why would they include Apple? Among others in the list, they’re almost guaranteed to be of no value and only increase the risk.
What was done was a guaranteed method of getting the method/exploit fixed in record time. If the perpetrator wanted to demonstrate, they would have targeted someone inconsequential that would not have put the problem on twitters radar. They blew their whole wad, likely on purpose, and there is nothing else planned.
Yeah, the idea that this is an initial step in something bigger doesn't make sense.
If they wanted to exfiltrate data, they already did that previously.
They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.
I don't know the number of accounts affected, but there seem to be many, and there are multiple unique messages. Richer accounts offered to "double" BTC up to greater amounts than poorer accounts, some messages refer to "fans" and others refer to the bitcoin community.
Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.
If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.
It was only a couple dozen accounts right? They could have just had a bunch of browser windows up and hit send all at the same time. This is a very low-effort scam, all they really had to do was tweet their wallet address.
No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.
> If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts
I think this would turn up alot more results than you bargained for.
I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:
* 5+ accounts tweeting exactly the same message
* Not using the mobile app
* Fewer than 10 followers
* Fewer than 10 following
* Liked fewer than 10 tweets
* Retweeted fewer than 10 tweets
* Accounts created within 24 hours of each other
* Account creation metadata is similar
* Account less than 1 month old
You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.
Or someone bragged about their super awesome access to Twitter on some IRC or Discord channel, posted proofs which unintentionally leaked the session tokens / exploit to others and the whole bunch of kids went crazy due to fear of missing out on the event of the century. Basically like all these seemingly normal people that suddenly turn into looters when all hell breaks loose.
They used multiple wallets. They also posted a bunch of useless/ridiculous comments and memes, not sure why would anyone do that if the attack was carefully planned and automated.
Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.
Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.
Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.
So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?
And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?
Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.
I find myself confused by this as well, surely people who are sufficiently technically sophisticated to own bitcoin won’t fall for “I’ll send you bitcoin if you send me yours first”?
I assume the victims aren't technically-sophisticated bitcoin owners. I had previously told a family member that I had a little bit of cryptocurrency, and then a few months ago they messaged me asking how to buy some bitcoin. I prodded them a bit, and it turned out that they had seen a scam somewhat like today's. I was able to stop them and explain the scam. Presumably if they hadn't asked me, they might have figured out how to buy some on their own and then sent it to the scammer.
My Uber driver in Sydney told me he was converting all his money into crypto because he thought the FIAT system was gonna crash. He was not technical. Lots of semi tech literate crypto people out there.
That's like the Kennedy-shoe-shine-boy thing. Kid on the street starts asking Papa Kennedy about some hot stocks he heard of and Kennedy realizes everything is wayyy too overheated and pulls out. Market implodes a little while later, and Joe is able to buy up whatever he wants.
Very similar alright. I felt so conflicted listening to him because I knew nothing I would say would change his mind so I just kept quiet. He was a pensioner trying to save to leave something for his progeny. Kind of heart breaking.
1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.
2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.
To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.
Unconfirmed transactions cannot be withdrawn.
Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.
Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.
You could issue a double spend transaction that goes to another wallet you control with a higher fee and the network will probably apply that one first.
It's only at 12 bitcoin ($120k) right now. (serious question) why do you think it could be as high as $50 to $100 mm? Is there a way to see the total including unconfirmed transactions?
I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and it looks like a very large number of transactions have yet to be confirmed. So any amount so far is just the beginning - more is sitting in the mempool ready to be confirmed.
Hang on... is it “stolen”? If you trick some people into giving their money to you, it’s unethical, but you didn’t force them to hand you their money against their will.
I would say “taken” is fair; but “stolen” isn’t exactly right.
For example, historically the UK had "Theft By Deception" a type of theft in which the requirement is that you deceive people, intentionally, in order to permanently deprive them of something of value rather than just taking it.
This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.
All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.
If I ask you to give me a loan and I say I'll pay it back with 100% interest in a few days, and then I run away with your loan and never pay it back, then yes, it's stealing.
That's all that's happening here, except in units of BTC and not USD...
Keeping in mind the attackers will not be able to perform this stunt again though the same attack vector, It could also simply be that the attackers overestimated how much they would make from this attack.
I doubt that. For one, they wouldn't be reusing the crypto messages from the past which have been seen by everyone on twitter a thousand times. I ignore based on tweet rather than looking at who tweeted it most of the time. So they at least would write new messages if they were after money.
There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.
I think they have proven that it works with thousands of YouTube videos with the same scam and basically the same operating mode (impersonating famous people). They have made quite a lot of money.
So they are probably on at least their second attack vector by now.
I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.
Or it could be attack on Twitter itself. Jack's policies are not loved by few folks in WH. Just speculating
OR
Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.
Wow that's brilliant. I didn't think of that. If someone had a non trivial amount in stock shorts, they could stand to make an exorbitant amount of money.
Quite possibly this isn't a hack and someone got a Twitter admin's account, then got access to the admin panel and "all" accounts without having to hack much of anything.
If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.
Sorry, but would you mind expanding slightly on how you would implement such a system?
In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?
And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?
Glad you asked. "There is a database and some guy is the DBA" is a very outdated architecture that can get you passing grades as an undergraduate and that's about all its good for. You should not take as a given that the right to modify datastores falls ultimately upon some individual. It is possible to permanently discard this ability, and organizations should strive for that.
I'm guessing you work/have recently worked at a big tech company (FANG or one of the ~5 other companies of comparable size) and are seriously overestimating how common their best practices are. Unless by "passing grades as an undergraduate" you mean "bonuses and promotions at a majority of the companies that handle your data every day"
G did not really get serious about infrastructure security until after the China hack (and more-so after NSA/Snowden) and didn't really get serious about insider risk until after "gcreep". Still, I don't understand the reluctance of the industry at large to learn the lessons of other people's failures. Why does each company need to separately discover that insider risk cannot be prevented by recruiting, it has to be prevented in code and hardware?
Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.
I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.
Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.
Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.
Having been in several situations - As Gaia admin, working for big budget low competence IT for a "major" company, and as a shoestring SRE on a household name that's still held together by duct tape in some corners - it weird what is obvious, what is possible, and what level of escalation would be required for what kind of attack. It would have be possible and even trivial for me to impersonate a user at any of the three. At Google, I would have left indelible tracks that would have gotten me fired, see Gcreep (whom, oddly enough, I replaced - I was the next SRE hire at Google Kirkland after he'd been sacked). At the largeco, the tracks would have been indecipherable; nobody would have been able to notice. The logging wasn't there. The ability to analyze what logs they had wasn't there. As a shoestring engineer, I'm pretty sure I would have clear knowledge of who did what if something were discovered, but I would have a significant problem finding it unless something were obviously wrong. I know I can't stop a rogue admin; my team is small enough and needs to react fast enough that we can't spare time for access controls or break-glass, even if they were handed to us on a silver platter.
I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.
Thats not what I meant, sorry. How do you implement such a system? So theres a team to manage the datastores, but that changes nothing that on some level someone somewhere has root passwords and/or filesystem access and/or ability to modify the fleet.
We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.
I know nothing about twitter's architecture but it could be:
- at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.
- in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps
- access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.
Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.
The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.
While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.
Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
I don't think this is going anywhere. You just keep dodging the question while acting elitist about a topic it is becoming clear you don't actually know much about..
The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).
Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.
> Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
OK, what about the people who have physical access?
> even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
> OK, what about the people who have physical access?
What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.
> Who watches the init daemon?
Another important question! If you don't know what's running on your box, you really don't have a security story at all.
One can trade data navigability and a performance hit for opacity of content.
Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.
Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.
There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.
> requiring two-person control, logged and 100% audited
That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.
Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.
this assumes two things: that there is a security model that would prevent this attack that they should have implemented, and that alarms _weren't_ set off. Both of those are weak assumptions.
I don't think parent was assuming those measures are implemented. They were saying that they should be implemented and if they are not, it betrays seriously poor security posture at Twitter.
If you do that to a head of state its very visible and leads to major changes.
Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.
Without knowing what they have access to, it's hard to tell.
If it's a third party API key with special priviledged that they hacked, the potential harm is limited.
If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:
- scam them
- get them infected to gather a massive bot net
- make them very angry and start some kind of civil unrest in a specific part of the world
- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that
At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.
They're wasting time and money on purpose too, the dead rapper XXXTentacion just tweeted: “Smoking a fat blunt on my private island giving out bitcoin to my supporters”, Elon tweeted "hi" etc.
They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
I sometimes get "we hacked your site, pay us bitcoin" spam via a contact page on my website. Once, I decided to send them a few cents to see if they were dumb enough to sweep it somewhere. To my surprise, they really were that dumb. It seems to be in some sort of wash trade loop (maybe a coin tumbler).
Alternative take, it could be a distraction while they short various stocks. Obviously 12 BTC/100K isn't worth hacking Twitter. Perhaps if everyone is watching the Bitcoin address, they may miss the real heist.
Shorting stocks will be suspicious if they do it from accounts who have never done much volume before. There are insider traders who are caught all the time doing 1 big trade (relative to their account values and previous activity) miraculously at the right time.
Definitely, this is like the theorized “Goldfinger” attack on cryptocurrencies—sabotage the network after building up a sizeable short position in derivatives. However a Goldfinger attack on Twitter stock would be a challenge to hide, since any evidence of anomalous trading patterns could open you up to prosecution by the SEC. Might want to check for any huge buys of daily put options on TWTR...
That's what I first thought of a potential better scam. Pump and dump. Emergency news covid vaccine gets emergency authorization or the opposite Moderna is pulled from next phase it killed people. I know the SEC is good at sniffing that out but seems like could easily get more than a few 100k especially given the Moderna news / earnings season
That's definitely one way you could blackmail people for more BTC, or unmasking various prominent anonymous accounts... Lots of way to use that info to make serious money on the darkweb.
Pretty sure this is trivial. Buy someone’s identity on the dark web to pass an online brokerages KYC then wire money in from an international bank. I say this as person who worked at a fintech. KYC checks aren’t the most robust and you can brute force the knowledge based authentication if you have enough people’s information. Some of the KBA questions you can google because all the data brokers put people’s past cities online.
It will take at least a week for the SEC to make an official request. Funds would have settled and you can call up and wire the money away. Never seen it with stocks but have seen in on deposit accounts. One of the biggest issues with online banks is fake accounts that are used as mule accounts to move stolen money. Authentication in the us is weak and based around SSN and credit history which isn’t hard to buy. Want a billion dollar idea, solve that with out using things like sending a verification code in the mail to an address on active account in the person credit history.
Assuming this is what you went to prison for, is there anything you can tell us about what happened or what the experience was like? Or have you written about it already on HN or anywhere else?
Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).
I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.
It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.
What are they going to ask? Why did you short the most shorted stock in America? Why did you later close your short position, locking in a large profit?
I'd be surprised if that even got you interviewed, let alone searched for hacking tools.
Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.
At that point, it's a criminal investigation and everyone on the right side of the trade is a suspect. If you'd made enough to make the risk worthwhile, they'd subpoena everything - phone records, emails, electronics, financial history, contacts, ...
Most communities that would actually have buyers for high level information are well hidden, you basically have to know someone to get in. I don't know of any sites on TOR that have a marketplace for this kind of high level information, but there's defintely a couple russian marketplaces on i2p. I don't have the links anymore but they're probably somewhere out there on the clear web.
There's a simpler explanation: someone wants to destroy Twitter. (Bless them, lol.)
Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.
Well, if I was Obama I'd cancel my Twitter account ASAP. Today the tweet is relatively harmless and obviously fake, but who's to say that tomorrow something really toxic to Obama's reputation won't be posted under Obama's name? (Say, something anti-feminist.)
Arguably it was irresponsible of Twitter not to pull the plug on the servers at the first hint of an exploit at this scale. When you literally have no idea what's going on, job #1 is to keep it from getting worse.
Just wild speculation, but could it also be a stock-market play? It seems the stock went down by quite a bit in after-hours trading [0]. Shorting the stock I guess would have earned you quite a bit more than the few BTC made directly.
It's possible this was conducted by somebody who underestimated the hack's value, or isn't even really doing it for monetary gain rather than to just stir chaos
Another possibility is that they have already sold the hack, but the relationship with the buyer deteriorated for whatever reason, so they decided to burn the bridge.
I’m seeing a lot of discussion of the DMs being the real target, but executives and politicians usually have staff who monitor and post to their social media channels. Hard to imagine Barack Obama communicating anything of blackmail value over a channel that a mid-level social media manager has the password to.
I highly suspect that it's an inside job and someone had become aware that a security hole in the api/interface was getting ready to get patched so they jumped on it as a hail mary to make some bucks. It's one of the few things that makes sense. Otherwise they would have sold it to some nation state to pull the trigger on when they need a propaganda coupe.
Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?
I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.
Just imagine trading secrets to foreign actors, or selling misinformation. Can you even think of the covert operations that could have taken place to slowly poison streams of people in the twitter-sphere? This is a big yikes on a platform that "poses" as a platform of democracy and free speech.
Yeah, I'm not sure there is much to be gained from leaking internal data (are DMs that valuable?). The actual scam is executed so poorly that it can't be the main goal too. "Prooving" you have a good exploit by throwing it away is also not plausible.
Exactly, this would be a pretty reckless way to prove an exploit. You could just tell the potential buyer to create a new account and then tweet from that handle.
Perhaps, however proving you can access verified accounts is harder, still even that could have been proved lot more quietly if they wanted to , clearly this is a distraction or something else being is sold/showcased beyond this exploit
While we'd hope that most people would be smarter than the send anything incriminating through a DM, the high profile nature of some of these accounts means anything embarrassing in their DMs could have significant value. They already have access to two presidential candidate's accounts and might have access to the incumbent's account even if they didn't post from it.
You could move many, many millions of dollars on the stock market with these accounts. Would require more care and/or tricks to avoid being apprehended than a simple anonymous bitcoin scheme, but the pay off could have been at least a couple of orders of magnitude higher.
If this is a demonstration to a client I don't want to know what the product is they're selling. There are few more valuable targets than being able to hijack communication of public figures.
I thought it was just me, but yes... please send me your ISK and I will double it... here's a website with a wallet thing that shows we sent out money... everytime we received some.
Again, nothing. Given the accounts that were hacked, they could easily have moved markets and had pre-placed short bets that would have netted them potentially hundreds of millions.
If they had capital to begin with. If this is some individual hacker without much for means, swiping $100k of BTC in a potentially narrow window when a security vulnerability is in place is greater than $0 while trying to line up capital and shorts.
If you do it in "real" markets, you get the attention of the SEC or similar agencies in other countries. Crypto is completely unregulated in this regard.
No, but if someone managed to hack a bunch of Teslas and cause chaos, driving their stock down, you can bet law enforcement would be looking at shorting activity.
I wonder if it's coming from inside the US, to prevent the President from using Twitter the way he has used it -- signifying that the presidential twitter account could be compromised, without actually compromising it and with minimal damage otherwise.
this is the best fun i've had in a while but i've just ruined it for myself with a conspiracy theory that some prankster youtuber has set this up and there will be a "hilarious" video about it tomorrow
I'm trying to think of other ways to monetize this without ending in prison, and not really coming up with much...
Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.
You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?
Maybe shorting wouldn't have been needed. Just buy from the dip and trust that the stock recovers when twitter confirms hacking. But requires a lot of cash that the attacker probably doesn't have.
Crypto can also become tainted and basically unsellable. It's especially easy to do with bitcoin or ethereum.
Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.
if the hacker lives in Eastern Europe opening a stock options account is not possible, unless he has connection with an American who can make the trades and cash out. no need to try to fool the SEC , which has billions of dollars of resources behind it. Also not all exchanges are regulated, and even regulated exchanges may not be able to trace the source. The money can be split and sent to many exchanges and mixing services over a long period. It is not safe. elon musk twitter being hacked would trigger extra scrutiny of all tesla stock option trades. The SEC has extremely advanced tools for detecting this stuff.
There is a bit of romanticism about hacking here, things are way more boring than you would think. Likely that some process on the authentication process at twitter was broken and someone took advantage to have a laugh.
Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.
A senior engineer (juniors would not have this level of access) risking their job and facing prosecution for an amount that would certainly be far less than their salary? That doesn't seem likely.
The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?
I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.
But then any number of well resourced 'political' actors would love to send that message to the large tech companies...
Do they seem the type of people that would send anything sensitive over Twitter DMs? I'd imagine if anything at the very least they would use iMessage or some messaging app of that nature. Biden seems like the type of guy who relies on e-mail.
There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?
People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.
And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.
>There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this.
People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.
There's basically no way to earn any significant amount of money beyond what they've already done without getting caught. Certainly not a billion dollars.
No one has ever gone bankrupt by taking profit. State level actors/smoke screen/geopolitical implications all sounds great and are exciting but this might be a small group that just thought 'let's get what we can, easier to launder 100k that billions lol'
How did you determine it to be literally worth billions of dollars? I don't understand how sending some faked tweets could have much in the way of geopolitical implications.
The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."
Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"
Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...
If they had waited until election day in November it could have tipped the election. This of course assumes that no one else would have found the problem in the meanwhile (difficult to say if that's realistic or not), but yeah ... the potential could be a lot more than "just" ~$110k in scam damage.
I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.
And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.
Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.
That's the problem: whatever they do, it's got to be plausible.
If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.
Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.
Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.
Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.
Twitter would have probably paid out about $100k for this to be reported via a bug bounty program. $100k is nothing for the risk taken, they could have made a lot more.
It should be but it is not, in the bounty program the actual payout for owning accounts is 7k ish, that is assuming you met all the criteria and they still accepted the bug, which is not always the case.
Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.
Even things such as "Administrative functionality" and "Unrestricted access to data" is "only" $12.5k. It's not a small amount of money, but pretty sure I could make a hell of a lot more with full access to everyone's DMs. Grepping for CCs would be a good start, and "password", and so forth. Never mind that "admin access" might give the ability to send DMs.
Even forgoing the value arguments, the skill required to identify a vulnerability and develop a provable exploit for it and the time it will take is not free, just to pay a senior security researcher a hourly rate or monthly salary will cost much more.
These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.
It could be that companies are cheap, but I bet there's also tension between paying enough to get bugs reported and paying enough to encourage insiders to introduce (or, if they're smarter, find but fail to fix or report) bugs then have them "discovered" by someone outside (for a cut of the cash, naturally). Maybe (probably) these bounties are too low to be anywhere near the tipping point for that so are indefensible as-is, but there surely is a level at which you'd expect to be encouraging bad behavior (proof that such a point exists: imagine a $100m bounty—now, that's plainly on the other side into "too likely to encourage, and be claimed by, fraud").
Most companies this size will have at least couple of peer reviews, so you will need collusion from all of them .
Nothing in the world can protect you from poor hiring .
If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .
Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .
Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .
It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.
Again, the smart insider doesn’t have to write the vulnerability, they just have to (with much greater access to code and infra than an outsider) notice it and not say anything (except to the outsider they sell it to). Selling such a vulnerability is a lot easier and safer than other ways of illegally monetizing a “hack”—your biggest risk is that you won’t get paid and will have no recourse, if you don’t get the money up-front, or that you do get paid but then someone else fixes the vulnerability before it can be used (that’s probably the worst likely outcome)
[edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.
For taking the risk of impersonating several of the richest and most powerful people of the planet? yeah, I'd say yeah.
Of course it's not stopping at 113k, but even assuming it'll stop at 500k I wouldn't say it's worth it
it if seems small it probably because twitter has been under constant attack by crypto giveaway scammers since early 2018. the pool of potential victims has shrunk
Because that would require dozens of simultaneous simjacks on corporations, billionaires and politicians. Simjacking has about a 20 minute - 4 hour effective window, shorter if the person uses their phone extensively. Hacking the 2FA of Apple, Bezos, Buffet, Gates, Obama, Musk ... in that time window ... naaaaah.
People have been gushing about the value of such a hack, but as a marketer I can tell you that Twitter traffic is pretty close to worthless. I suppose there are other things you could do, such as manipulating stock prices. But that would take a large amount of capital to take advantage of, which this person may not have had.
I think its mostly test of miners - prominent group of tech-related personas have been hacked, so I wonder if they end up asking miners not to validate/approve the list of incoming/outgoing transactions. If they choose to minimize priority of this transactions, they may get delayed over 14 days and eventually fell off a block as never processed bitcoins. Then spender gets their money back. In 14 days they may realize it was a scam. They probably already did!
With so many accounts compromised, the hackers might actually have full access to Twitter's backend. The postmortem would be very interesting. I'll be looking forward to it.
Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
If they had full access to Twitter’s backend, they probably would be tweeting from accounts like @POTUS or @jack. But this seems like they have access to limited accounts. Most likely gained access to a third party service that allows you to manage your tweets?
Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.
Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.
Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!
You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.
Not sure why you are being downvoted given that this is probably correct? Sounds like the attack was through an admin portal. Given that Trump was one of the few high profile accounts not targeted, it seems like the attackers were not able to access his account through that portal. And his Twitter has been attacked by employees before so Twitter probably locked it down so employees can't modify it.
Maybe not everybody with internal tools can mess with it. Because somebody with internal tools already messed with it before and it didn't look very well for twitter. So if there's anybody with brains there they probably made some measures so it won't happen again.
I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.
> I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.
Most billionaires and large corporations have connections in, and make donations to, both major parties. The people who are critical of billionaires and corporations tend to also be the people that point out that the dominant faction of the Democratic Party (less sophisticated members of the critical group will shorten this to just the Democratic Party, without making the factional distinction) has for decades been, in economic policy terms, a center-right pro-corporate neoliberal group, not a progressive one.
I'm pretty sure most billionaires support the GOP. I don't have a citation. But neither did you. Let's not turn HN into a hodgepodge of wild unbacked claims. That's what reddit is for.
1. Most want cheap foreign labour via H1b Visas which is currently more of a democrat thing (it's republican thing too but Trump is avoiding that right now). They claim they like diversity but it's actually just importing H1B visas who basically get exploited by the companies because if they don't over perform, then they don't get promoted and therefore get fired leading them to get deported back. This is also why these companies have the "get promoted every 1-2 years or you are fired".
2. Most don't publicly support GOP because they don't want to get cancelled.
PREFERENCE FALSIFICATION: Preference falsification is the act of misrepresenting one’s wants under perceived social pressures.
I'm not sure the FB counts as democratic. At best he's big shades of gray with contradicting indications.
Out of the top four richest tech billionaires, according to forbes, only one of them is not most likely conservative and that one tries to stay out of politics, i.e. bill gates.
The next two have clear conservative leanings or contradicting indications, i.e. Bezos and Zuck.
Number four is Larry Ellison, who recently hosted a trump fundraiser. Well here is what wikipedia has on him:
Politics
Ellison was critical of NSA whistle-blower Edward Snowden, saying that "Snowden had yet to identify a single person who had been 'wrongly injured' by the NSA's data collection".[85] He has donated to both Democratic and Republican politicians,[86] and in late 2014 hosted Republican Senator Rand Paul at a fundraiser at his home.[87][88]
Ellison was one of the top donors to Conservative Solutions PAC, a super PAC supporting Marco Rubio's 2016 presidential bid. As of February 2016, Ellison had given $4 million overall to the PAC.[89] In 2020, Ellison hosted a fundraiser for Donald Trump at his Rancho Mirage estate.[90][91]
Simple, billionaires are usually Democratic because they tend to come from liberal backgrounds in liberal areas: Zuckerberg, Gates, or anyone who's come up through universities recently is younger and thus more Democratic leaning. It's really a case of demographics.
I edited my comment, but basically I saw tweets that showed a screenshot of the scam tweet from the twitter support account. Not sure if it’s real since they delete the scam tweets.
The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`
Especially after the last insider account tampering event.
I do think it's odd that so many prominent accounts were hit but not Trump's. I remember there was an incident a couple years ago that a trust and safety employee at Twitter suspended Trump's account on their last day. It's very likely that after that incident, special guards were set in place to prevent admin tools from messing with Trump's account. This would align with speculation that this hack targeted an internal employee admin tool.
"3 people have been sentenced to death for participating in demonstrations. They could be subject to execution at any moment. This sends a deplorable message to the world and should not occur. #dont_execute"
[edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]
Write through caches would need to send the tweets through the normal channels for them to 'fan out' instead of writing directly to MySQL. But essentially what you're saying about possible backend compromise.
It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.
And now this : A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.
Hmm, how much money this scam would potentially generates? I think the salary of an engineer working on twitter would be higher given how fast this scam would be shut down. Would a twitter employee risk their career to this scam?
I would be surprised if it were an engineer, but not everyone who is employed would be an engineer. When I was at Google two fairly high profile incidents were enacted by contractors (one in the IT "TechStop" group and one a data center tech)
It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.
> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.
> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.
and yet lots of technical type Twitter personalities tweeting like each individual user got popped. "OMG THEY GOT MR BEAST!" No, they got twitter. I mean its possible, we do not know, but this "They GOT so and so" thing is annoying at this point.
Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.
Many larger corporations have strict rules on keeping things like their source code in-house, so that means no external services for code reviews or CI, etc.
Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.
They prefer to use managed services through third parties. Even to their detriment as those third parties basically own their customer lists. If for instance the auth provider goes out of businesses the business would end. Same with code, most new companies are using something like gitlab or github. But it's not as dangerous as many people will have a copy of the source code cloned.
I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.
It seems like the devs at Twitter are clueless, how this happened.
The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.
I can't see that bill gates, Elon musk and every cryptocurrency channel using the same manager. This looks like something closer to a Twitter hack than an intermediary, especially with the the reposting after deletion.
No way, it's way too widepread and would be shut down by now.
Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.
They could have shut these bitcoin giveaway scams down with a single regex a year ago when they first showed up. They let them go and this is the price they will pay. Let's see if someone is going to sue Twitter because 'verified' to be Bill Gates is meaningless now.
But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.
Its not hard to believe that a group with the ability to hijack the twitter accounts of some of the world's most influential people could also hijack the "posted by" metadata.
> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
Is Twitter really using GitHub internally (even self-hosted)?
> Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!
Were they supposed to launch some new API tomorrow which got hacked?
It looks like someone found a 0-day in the new API and wanted to use it before others did. Probably didn't help that the bug bounty for this would have been only 7k. How much does the Twitter employee who implemented this bug get paid?
It's tricky to fully prevent (considering conspiracies of multiple people) but not that tricky to ensure the responsible internal parties will be identified and brought to justice.
Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.
However, in this case, looks like Twitter's internal tools simply give too much access to people to control access to Twitter accounts. Probably no gunpoint required, just a single compromised employee. It remains to be seen how willingly they have participated.
So the infamous "shadow ban" actually does exist on Twitter, based on this screenshot. I remember them actively denying this two years ago when a wave of shadow ban incidents hit German news.
I just vouched for yet another HN user who had been posting insightful but [dead] comments for at least a month, and I couldn't even find the bad comment that triggered this.
It just makes me sad that I see people spending their energy on good comments, unaware they're not being read by most people.
Currently their earned BTC balance is $120k+ for comparison. That's a pretty successful scam and 5% of potential revenue will not make anyone go white hat.
Many previous ICO hacks (wait for initial coin offering -> change the bitcoin address to your own) have paid millions. Musk's or Buffet's tweets have moved markets multiple times. This sort of access could have been leveraged to gain at least x100 more than what they achieved.
Moving the market doesn't do anything if you don't have the stocks. This might have been a temporary hack where the hacker was not sure how much time he has. It could be simple as someone gaining access to an unlocked home PC of a remote Twitter employee.
This might actually explain the simple scam nature. Setting up more complex monetisation, i.e. by shorting a company, takes quite a while, especially if you don't want to be tracked. A bitcoin scam is quick and simple to do. And it's not _too_ illegal (compared to, for example, stock manipulation), so the attacker will probably catch less heat.
The advantage of cryptocurrencies is that it allows you to commit the scam anonymously easily and defers the laundering of the money for later, giving you time to devise a scheme to launder it.
Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.
Yes, but tracking that is not easy and we're "only" talking about 120k USD$ here - single persons have been scammed for more. You can steal one car and be above and beyond that.
That's my theory on why they (presumably) didn't touch the stock market or the POTUS account - even if they're found, they really can only be charged with a modest damage sum and some vague hacking accusations; nothing that warrants a global manhunt.
that could be an interesting vector, don't the feds have shit load of BTC from various busts? could they dump a billion into the wallet to make it impossible to launder?
I don't think atomic swaps need to be the full contents of a wallet. It means "atomic" in the usual transactional sense, not that it's all-or-nothing per address.
But even still, the idea to prevent money laundering by sending orders of magnitude more BTC than the initial scam... bold idea.
There are cryptocurrencies like monero whose primary purpose is to facilitate transactions between wallets that cannot be observed (I think).
If they've traded into that currency somewhere, how does one know where that money pops back up - on however many exchanges, under however many identities, in however many amounts, over whatever period of time they drip it back in?
I'm reminded of a paper I read a while back about deanonymizing VPN traffic if you have sufficient observability of nodes in the overall network and something else I can't remember at the moment.
Seems different though. The time they could take to drip money back in to the visible network (for conversion to fiat or appreciation in a "visible" coin) feels like a factor.
edit - heh, just now seeing the article you posted about the FBI's team explicitly mentions a case like this with Monero.
That's not how pseudonymity works, you are anonymous until you accidentally leak, or have to leak, PII linked to your wallet. They can be totally anonymous right now without any mixing. Once they need to convert to fiat they may have to mix first. Or maybe exchange cash wearing a mask with a stranger on the street in a foreign country, etc. Pseudonymity doesn't mean you're not anonymous until you mix.
Do you have more information about how susceptible CoinJoin is, because what I've seen for someone that knows what they are doing it would be near impossible, especially if they then convert it to Monero after.
It's anonymous as long as you don't use it for anything. As the GP notes, that allows it to be stored for a while to deal with later.
If nothing else, it's a good way to prove capability. Want to prove your prior deeds and that you're the one that pulled off that twitter hack? Have someone provide you an address and transfer out of that wallet, and now you've got proof of control of the funds, which works pretty well as a way of verifying you are the individual/group that pulled this off if someone asks. In that way, it's a good advertising.
A wallet is really just a public/private key pair. To prove you have access, you can just sign a message of someone else’s choosing with the private key. No need to transfer any value.
It’s why any claims to be Satoshi are laughable. If you want to go public, just prove it cryptographically.
Even easier, just ask them to provide any message then sign using the key(s) to which ownership is desired to be proven. This still works if the Bitcoin have been spent.
That actually makes the most sense to me. Even makes me wonder about whether it could be an insider leak - someone who knows of an unadvertised exploit that has been patched internally and sold it at the last minute or something.
This makes way more sense than any of the other suggestions in HN.
DMs are almost worthless; who uses DMs for anything important? It's for contacting people you kinda know but not really. State secrets aren't transitted over DM, but not because people wouldn't be stupid enough to do it. the people holding them are much older than the demographic that uses Twitter DMs. Worst case with DMs is some new YouTuber drama would be exposed.
You're underestimating the situation. One possibility is that someone has some information that can be used to blackmail them be exposed. I wouldn't be surprised if there was a politician that used Twitter DMs in such a fashion.
a lot of tech support includes PII over DM. Just in my list right now tmobile has enough in a dm thread for someone to call up and take over my line. It's stupid.
I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.
To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.
Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.
Honestly, we should be relieved if thats all that was stolen. A more sophisticated attack would involve OTM puts on TSLA and a tweet along the lines of: "finding major defects in Ys and 3s. shutting down all lines to reconfigure for a week"
He was an investor of ours, and among the most useful. There was rarely a founder/investor issue he hadn't run into, or knew someone who had. That sort of help is invaluable to founders, especially given his experience and everything he knows about both raising, and building a company. He's really solid.
In case anybody else had no idea who this "naval" is:
Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.
Here are a few I just invented to mimic these pseudo philosophers (modern day VC charlatans):
Tomorrow is a mist. Today's the sunshine.
Make the world better by building something anything today.
Build shit. Ship shit. That's all there is to success.
-----
I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.
>>I have no idea why they matter at all in the computer science industry.
What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?
And whom do you propose people follow instead? :-)
With Balaji Srinivasan it is even worse. He is open supporter of Modi current prime minister of India(BJP party) and supports caste system. My advice is if you are not from upper caste(brahmins) do not waste your time with him.
I'd wager the list of folks who:
-hold a meaningful enough short position for a potential attack to be worth, say $500k or more (not a rando robinhood trader with a $200 put)
-are not an existing bank or long term day trader
is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.
There are people on /r/wallstreetbets who are blowing up 100k accounts on TSLA puts on Robinhood. On the front page of /r/wsb right now the 3rd highest post is someone who has lost 30k gambling on TSLA.
Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.
I'd imagine picking a highly volatile stock with a lot of wallstreetbet bros in it, like TSLA, would serve to helpfully obfuscate your trades and their relationship to the hack.
How would it be harder to launder? You bet on a Tesla stock drop. That's perfectly legal. Musk tweets some bad news, and says he was hacked, but that doesn't mean you hacked him.
Market surveillance is much better than most people realize. The accounts making money on a scam like this would be identified, filtered for anomalous activity, and the people at the other end investigated.
I can't find the tweet now, but Tavis Ormandy once talked about companies share prices often rebounding after a breach, so he was buying stock in companies that got hacked. Equifax was an example, I think.
Yeah, buying out-of-the-money options is a dumb way of insider trading in general, but on TSLA specifically you might could get away with it. Just don’t make your first trade right before you post to Elon’s account.
Not that it changes your point, but hacking Musk's account to tweet wrong info about TSLA would be fraud, not insider trading, since they're not actually an insider. Either way, OTM options is a dumb way to profit on fraud or insider trading.
The hacker could have puts on Twitter as well. The Bitcoin scam might be just a cover / distraction so it looks like an unsophisticated hacker while the real money might be made with options contracts.
Yeah.. seeing twitter's drop thats definitely possible and pretty imaginative. but, twitter's drop wasn't that sharp. also, running this after hours means the options markets are closed and putting on a big short position can be super risky since there may not be a huge amount of liquidity to cover your position, then you'd have to sit on it overnight.
This is the route I would have taken, but not with OTM puts. It’s far easier to let the stock tank, then buy up calls knowing that the reason is bullshit, and wait for the price to recover and sell.
You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.
And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.
That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.
If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.
That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.
I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.
I would argue it's kinda the opposite. With some trades, the SEC knows who you are but there's no direct connection from your transaction to the hacking, so you're free to do whatever with the money and if your trade is this small it'll probably blend right in.
With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.
I've seen several live streams on youtube that replay spacex launches and display the same offer. Viewership goes up during actual launches. The one I found had 10k active viewers and the address they linked to had brought in 2btc in under an hour.
Not really, the post office would actually do something if you said "this person is sending scams through your system". They'd do a lot more if 100 people walked in saying the same.
Google does nothing despite thousands of people reporting it.
It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?
This strategy would require having money to begin with. It's a pretty big assumption that hackers have any money. If they had money, they wouldn't have to be hackers.
And it would need to be a relatively small bet compared to your total net worth to avoid detection by the SEC and the hack could fail at the exact time Tesla had a 20% pop leaving you underwater
They would need time to figure out which API endpoint is affected. Twitter is not going to shut down everything just because one endpoint has a possible issue.
Don't know why you're getting downvoted here. The after hours moves in TWTR and TSLA (assuming they're mostly attributable to the hack) absolutely dwarf the amount collected by the hack itself. TWTR has shed about $643 million in market cap, TSLA $2.4 billion.
Haha, I apologise in advance, but for some reason, the tone of your post just made me chuckle. It just had an amusing sort if naivite'. It was most likely the hacker's own BTC address.
Just what kind of an operation is Twitter running here? It seems crazy that they don't have any kind of anti-abuse system in place that could just block tweets with this specific Bitcoin address or possibly tweets matching the regexp of any Bitcoin address. I.e. limit the damage and buy a couple of hours while they try to find the root cause.
(Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules, at least in emergencies.)
It's absolutely crazy. This doesn't look like just leaked keys - it looks like genuine, manual access to accounts (as well as automated). The whole system must be compromised. @kanye replied to the scam tweet with "Sent out over $2,000,000!" [1].
Daaaaaaamn! I bet morale really has deteriorated since national politics leaked into business decisions and employees being cut off from their daily social interactions isn't helping.
I can't count the number of times people have asked here "How can Twitter possibly employ 4,000+ employees?". Well, I suppose we've learned 4K isn't even enough for good anti-abuse systems.
On a serious note, does that 4000+ employees include the content moderators? If yes, then I can see why. If not, then I am not sure what that many employees is for.
Kill-switches are dangerous, since they get built and never get used. I work on an anti-abuse system. It caused two user-visible outages in the last couple of years, one of which was an accidentally triggered kill-switch that had not been used in years and had some unexpected side-effects.
So I can see why they wouldn't have one of those pre-built for setting the entire site to a read-only mode. It's not at all obvious whether the risks are larger with or without that capability built in. But a spam filter with configs you can push quickly seems like table stakes, and should be a system that gets excercised weekly if not daily.
They are somewhat right. I have built these feature flag/kill switch kind of things and they rarely get tested. Over time it might not even work or have other side effects.
On the other hand, a product like Twitter having some content moderation filter seems very likely.
Even if there is no "huge red button", at this stage it should be easy to reconfigure their load balancers to just return 500 for all endpoints or even take down their DNS records and essentially shut down the platform until they sort it out.
If there was no other option I would personally go as far as pulling the power, data loss be damned.
This is in many ways worse than your typical large-scale malware or ransomware crisis (like the one that hit Maersk for example).
Malware or ransomware attacks are typically limited to internal company impact with potential stolen data (which you usually discover after it’s been stolen already).
This current situation however has ongoing external impact for as long as the platform is kept online and could even have geopolitical repercussions if a certain high-profile “real” account ends up affected.
The fact that they left the platform online for so long with an ongoing, uncontained attack is absolutely irresponsible.
Twitter should suspend the entire platform until they can credibly fix this and prevent it in the future. An attacker could drop AMZN stock by 10% in minutes with just the wrong tweet from Bezos.
Even worse? How about POTUS declares war on China thru twitter? OMG, I just realized how dumb that would have been to say back in 2016. But these days?
This hack could absolutely get people killed. There are several tweets I can think of from POTUS that would begin immediate military mobilization from an unfriendly country.
what's going on there, the fact it was a draft tweet - is the implication that north korea can read his draft tweets before they are posted? or could at the time?
That’s a scenario I find much less likely than the hundreds of Trump tweets that would set off domestic violence within minutes.
If Trump would tweet what the fringe communities want to hear (example: Trump tweets that state law enforcement have started rounding up people with Hawaii shirts and confiscating their weapons and should be seen as enemy combatants and engaged on sight. That would turn ugly very quickly).
A well crafted tweet about e.g the Taliban could easily put US soldiers abroad in harms way immediately too.
I think you’re overestimating the number of people in the US who would actually respond decisively to something like that. But it’s more than zero, unfortunately, which is too many.
It would with Trump - because we know his diplomacy runs through Twitter. With other presidents like Obama or Bush (did Twitter exist back then?) I would expect the risk is lower.
Yeah, this could've been very bad. I don't buy that it's a test. Twitter is going to fix this. Probably it's a restriction of the exploit that you don't know the posting account or something.
You aren't wrong. If Trump suddenly tweeted that QAnon followers should murder as many leftists as they can and that he'd personally commute their sentences, I think we'd see at least a few people respond by doing what they are told.
All we have here is an announcement. Seriously doubt this was the "official" firing, hiring or promoting of anyone. The statement in the article isn't even from Tillerson, so we don't really know.
> Other nations are not going to read the US law first before deciding if the declaration was or not real
There's a lot more formality to declaring war, for any nation. Not to mention the lack of anything else to support such a statement, like an actual press conference or public statements, media attention or, you know, actual military movement which all capable nations track constantly.
You again? Please stop with the Trump apologism already, we have a trade war that was mostly conducted via twitter, people heard via twitter that their services were no longer required, the whole Mexican affair was conducted via the phone and when that didn't work out led to a slew of angry tweets. There is definitely precedent enough that if Trump's twitter account would speak the right magic words that you can expect a reaction.
"Dear Twitter Followers, It is with grave heart that I have to ask you to do the right thing for your country, go out and do something about - insert bogeyman of the hour here - and I will be sure to reward you greatly. The time has come to do your part. I personally promise to pardon anybody that ends up on the wrong side of what today still is the law. Let's take this country and make it even greater."
That's just a two minute sample, give me an hour or so and I'll come up with something much worse than that. These things are easier to start than to stop.
I think you read far too deep into things you don't like, and try to find something to be upset about. It's kind of the national pastime these days, it seems.
No nation is going to start killing people because of a Tweet. Be realistic.
It detracts from your otherwise valid points when paranoia and blind hatred overshadow your arguments.
The number of posts you've made about the leader of a foreign nation is astonishing. Are there zero domestic problems to be fired up about?
> Sorry, but you don't have the actual insight necessary to understand the complicated local politics of a foreign country.
I've lived in Canada and the United States, I ran a business there and I have more American friends than European ones. I think I'm perfectly capable of understanding American politics. Likely I know more about your political system and it's idiosyncrasies as well as how the legal system works than a large number of Americans. You're more than welcome to criticize the leaders of my nation with cause. But you likely won't even know their names.
> I think I'm perfectly capable of understanding American politics
You're making wild assertions based on supposition and nothing else. Worse, you're using deliberately spun articles to support your nonfactual assertions.
You're getting all worked up about leaders of a foreign nation, that literally have nothing to do with you or have any impact on you. Trump said mean stuff on Twitter so people thousands of miles away should engage?
> You're more than welcome to criticize the leaders of my nation with cause. But you likely won't even know their names.
No I don't, and I don't care. How your nation governs itself is your nation's business, and the entire point I'm making. It's OK to ask questions, or wonder aloud... but to pretend to have a deep understanding and an authoritative judgement on foreign affairs, based on clearly biased opinions disguised as facts is simply unbecoming and devastatingly unproductive.
What you are engaging in is sport... not a civil discourse.
> Worse, you're using deliberately spun articles to support your nonfactual assertions.
Argue the facts then, not the source.
> Trump said mean stuff on Twitter so people thousands of miles away should engage?
Trump said mean stuff on Twitter that has resulted in my friends being more at risk than they should be, people I care about getting gravely ill and quite possibly will result in one or more of them dying. If this sounds like 'fun and games' or a spectator sport to you then I'm sorry, I am not amused.
> You're getting all worked up about leaders of a foreign nation, that literally have nothing to do with you or have any impact on you.
America and the American economy impact the world.
> No I don't, and I don't care.
That's fine by me, but that is your choice and I have made my choice different. The United States well being concerns lots of people outside of the United States. That is the kind of responsibility that comes with being a superpower, like it or not.
> How your nation governs itself is your nation's business, and the entire point I'm making.
And yet, if a foreigner would have something useful to say we'd likely listen. Because typically outside perspective is worth a couple of IQ points.
> It's OK to ask questions, or wonder aloud... but to pretend to have a deep understanding and an authoritative judgement on foreign affairs, based on clearly biased opinions disguised as facts is simply unbecoming and devastatingly unproductive.
And that is your opinion. The whole idea that the media can no longer be trusted unless they clap in sync with the Trump marching orders is ridiculous. If you want some problematic media look no further than Fox news or Breitbart.
> What you are engaging in is sport... not a civil discourse.
So you keep saying. But it isn't a sport to me, it is deadly serious. And lots of American lives are on the line proving that on a daily basis.
The United States well being has deteriorated largely due to people who don't understand our values, priorities, and the sacrifices our citizens have made to ensure our posterity, telling the US how to run itself. I sincerely believe you care and for good reasons. But it’s also not your country that has to feel or deal with the effects of everyone telling the US what is important and how to run their country. Just, keep this in mind.
You've been "following this closely for 3+ years" through the lens of a group of people (journalists) who have political views that are strongly in opposition to that leader. Of course they would tell you that he is unstable, that he is wreaking the country, and so on. Those journalists are even employed by companies that want access to large and powerful countries that dislike a US leader who isn't a pushover in trade negotiations. Given those facts, it would be shocking if you got a fair view of the matter.
Doesn't matter. Imagine, for a moment, a Tweet posted on Trump's account along the lines of Reagan's joke in 1984 [1]:
> Iran has gone TOO FAR! As President I have ordered the use of nuclear weapons against key military targets. We begin bombing in five minutes.
Regardless of the plausibility of the message, it would be likely to trigger a panicked response from foreign militaries. It's not at all implausible that it'd start a war.
Honestly I'm kind of enjoying seeing what it is doing to my feed with only unverified accounts and verified retweets. Twitter hasn't been this much fun in months.
can confirm - my wife has a verified account and a company account and both are unable to tweet, though one can still quote retweet apparently, but probably just a lagging feature flag.
Many powerful actors, including state actors, would love to see Twitter, as a political instrument, go away. It could even be our own, or a dissident group within our own, IC. If someone can get a presidential candidate and an ex-president's twitter account to say what they want, then that is pretty much the end of Twitter as a political tool.
I hadn't really considered that the attack might be against Twitter, the corporation, itself. The BTC thing is obviously too stupid to be the objective, but if you hate Twitter, then would there be a better way to teardown the entire site than doing something like this?
I'm not so sure about that. Sure, it didn't impact THE account or crash the stock of an unaffiliated company, but that proverbial bullet flew close and I bet that quite a few powerful people felt the wind. The "harmless" nature might spare the hackers a bit, but it definitely won't spare Twitter.
Yeah, that would be my hunch too. To gather potentially damaging messages from Obama, et al, and damage Twitter. Interesting that the Russian Foreign Ministry's Twitter was hacked last week. Maybe related (a test or to throw off the scent?): https://www.forbes.com/sites/daveywinder/2020/07/04/hackers-...
It's an interesting coincidence that the "digital guru" Brad Parscale was demoted and another guy promoted at the end of the day. Hopefully it's not related, but the list of Twitter accounts compromised would be an oppo researchers dream (and there could be more accounts compromised that weren't publicly flagged).
Verified Twitter user here: Locks [1] are in place, attempting to tweet throws an error: Something went wrong, but don't fret -- let's give it another shot.
At the bottom of the page, a notification appears: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later.
Your site is getting hacked, you don't know how the hackers are doing it, what do you do ops wise? Take the whole site down for a few hours? Because the entire platform is compromised, how do you handle that?
More of a b2b context. However, we've had an unannounced pentester achieve RCE on our systems. Not a fun situation.
At that point, we were forced by our contracts, and data protection laws, and a CEO aware of all of these, to shut the affected productive system down. We stopped all services, set the firewalls of our hoster to only accept traffic from our office and that's it, while figuring out wtf happened. Those measures overall reduce the situation to a known situation again. If someone in our office is hostile.. that's another issue.
After a bit of analysis, we figured out the IPs attacking us and we blacklisted those on the firewall of the other production systems. Eventually things cleared up to be a pentest no one told us about.
If the attack had moved into these other systems, we'd have to extend the nuclear solution to those systems too. At that point, we'd have to lockout some 30k+ FTE users. I think we'd be able to make national news with that for our customers. Except.. not good news.
A manager at a customer told a pentester to take our system without telling anyone. As simple as that. The pentester did. We axed their system.
This was elevated in ridiculousness, because said manager was backpedaling really, really hard after we contacted the pen-testing company as well as the customers senior management. However, all attempts at re-instating the system were swiftly blocked by the customers security policies and security teams. So, the system stayed down for a solid amount of time.
After all, the customer insisted on us participating in their security workflows for that system under their security teams control. And from their companies point of view, this was an external hostile attack -- since the manager didn't tell anyone.
I doubt this is a productivity issue or an infrastructure issue - shutting off write access is a major business and reputational loss, and I can easily see cultural factors pushing people not to take that step.
This is possibly a blessing in disguise. Obama and Biden's accounts have been hacked as well so this basically just burned Twitter as an international political platform.
Following that thought, it is entirely possible the whole point of the hack is to discredit Twitter and the bitcoin bit is just smoke.
Should have went read-only when the flood started. If they didn't have the forethought to have a read-only mode, then yes, show a failwhale while they investigate.
If you can't have a log trail that establish how someone tweeted something, might as well shut down then.
It should become very apparent how this is done through the correct levels of logging. Unless of course twitter backend firefighting team consists of hasty tooling that writes directly to production table with no oversight (which also sounds like a possibility)..
I do not think that a 3rd party tweet scheduling program has been hacked, because the tweets say they have been sent by “Twitter Web App”. Maybe the new feature on twitter.com to schedule tweets has a security vulnerability?
I've not checked twitter api docs but I've seen stuff like "Posted from: Zombo smart fridge" and was under the impression an app could fill that field in with whatever they like.
Some folks are saying some of these accounts had 2FA, so can be the case but I guess if it was a system thing, we might have seen tweets from more prominent accounts.
I believe I read something (trying to find it) about Twitter internally having additional protections on Trump's account. Only a handful of people within Twitter can touch it.
They're clearly trying to avoid the risk of being tracked. For example, they could have done stock manipulation and made more money. Trump is someone with the power and craziness to spend a hundred million tracking you down and literally dropping bombs on your head. So it'd be poor risk management to go after his account.
> President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.
> “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”
I think we can imagine being more anti-war than Trump.
Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.
Kudos to Coinbase- I tried sending a small amount to the account after seeing Elon Musk's tweet, and Coinbase prevented the transaction from occurring.
This is exactly what I was thinking. This has made me lose a lot of faith in crypto, not that I had a ton of faith to begin with. But I keep hearing people talk about blacklisting addresses and blocking transactions. That's scary stuff. How can people ever feel comfortable storing large amounts of money in crypto if the big players can simply block their address and make it near impossible to liquidize their money? I feel like this incident is showing Bitcoin's (at least what Bitcoin has grown to become) true colors.
That is not what's going on here. This is a company protecting its users from a scam. If you don't want that protection, it's quite feasible to not use that company and use one that doesn't do that, or manage your own wallet, or whatever.
If you’re a fan of crypto for its independence and decentralisation, you aren’t going to be storing your coins on coinbase. You will store them on your own hardware.
Moving coins between wallets is simple, it would not be possible to simply block an address to prevent cashing out.
I'm betting Gemini also blacklisted that BTC address, especially considering that they were in the first wave of fake tweets.
Now I'm wondering how much BTC the attacker effectively left on the table by reusing the same wallet address, especially considering that lots of people who deal in crypto use just a handful of exchanges to send it.
It's also validates the scam for other users. When they see BTC being sent they are more likely to think it is genuine. I can see sending dust to track the coins but other than that it's a damn foolish idea.
I'm guessing a social media manager application got compromised, or an exploit in Twitter's API that allows you to post as someone else. It's hard to see all these different accounts falling for the same scam + not having 2FA, etc.
I wonder if Elon is a type of guy who uses apps like Buffer or Social media manager app. It looks more like some exploit within Twitter which they've leveraged and orchestrated a coordinated tweet attack
They seem to have more access than purely posting as the user, I'm seeing reports that the attacker has changed the email addresses associated with the accounts to protonmail addresses.
Surely any individual client would have had their api keys immediately blocked. It would have to be more like a compromise of, say, the API key back end that allows them to surveil logins over a period of time, and the accounts we are seeing hacked is what they scraped.
What can you tweet to trump supporters for maximum monetization? Crypto scam? Doubt many of them own crypto or know what it is. Get them to send western union/itunes gift cards? Too obvious, will probably get clawed back.
Voting preference is voting preference. It doesn’t dictate a person’s entire set of beliefs. Personal observations lead me to conclude that plenty of Trump supporters know he’s crazy but still prefer that to the alternative.
Watch this turns out to be a JS dependency tree problem from some library that was compromised months ago in some NPM module, used in the twitter web interface.
The Twitter web interface doesnt - it's just a javascript app that runs in your browser. To post a tweet, it uses the same public API that all third parties use.
To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.
I love this theory, but at the same time, I feel that it's unlikely. Without knowing how their back-end is put together, that'd be like... trying to smuggle in a robot into an office building to break into a safe that's inside without knowing the floor plan, what kind of knobs are on the doors, etc.
Could have paid/convinced/threatened an intern/employee to scope it out and then deployed the hack externally to bypass safety measures. Complicated but doable.
Doubtful: It is well documented that Twitter has re-written many parts of the FE/BE framework, so I think it likely that their NIH attitude might be a benefit.
Place your bets, phishing or bug exploit. Some of these targets are too high profile to all fall for it and probably have teams that manage these accounts securely. Edit: 2fa was bypassed, interesting. https://twitter.com/tylerwinklevoss/status/12834920178892595...
> when nearly all hacks have nothing to do with breaking credentials.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
Sure, I guess that is a wrong assumption on my part.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
Well of course if you exclude all of the attacks that didn't happen because 2fa was enabled, then ya, 2fa won't protect you against the ones that still happen. Lets compare this to.... car safety. Ya, if you get hit head on by an 18-wheeler on the highway, your seatbelt is only going to help you as much as the rest of the safety of the car. But in pretty much every other situation, I would be glad to be wearing my seatbelt.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
Well then we're royally fucked if all it takes is a single rogue admin at this single, societally ubiquitous company to expose everything and let people fire off false declarations of war on each other or short TSLA and additionally make the entire concept of 2FA meaningless.
This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.
There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.
Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?
I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.
You seem to be greatly overestimating the level of security at most internet companies. I suspect most companies, even some of the huge tech giants, would be susceptible to a sufficiently privileged rogue admin. Heck, the entire NSA had huge amounts of their most sensitive data accessed by a rogue admin contractor.
I wasn't exactly thinking Twitter was perfectly or at least very secure. It just kind of blows my mind at the thought that they might not have considered that that kind of scenario was possible or the chance of it happening was so remote that... it ended up happening.
Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.
I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.
Very strange. Why exactly is it possible for any employee to tweet as any user? Unless the person who was targeted was the Database admin himself or something.
Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.
If I had to guess, the attackers probably didn't even need twitter employees to have direct access to the accounts. If support tools allow Twitter support staff to change a user's email (which would make more sense, but still be extraordinarily unsecure), you basically get full access to the accounts the moment you get control over those tools. It would also explain why all the account emails seem to have been changed.
But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.
Twitter seems to have a shaky history when it comes to limiting employee access to account info.
I am really doubtful they were able to change the email and phone of so many celebrities and powerful people at the same time by phone. Twitter stated "social engineering" but I don't think this was for changing emails and phones of each person one by one.
Well, it's actually not that hard to fall for social engineering even if you're well educated about the topic. Have a listen to an interview Christopher Hadnagy gave on Darknet Diaries.
Fair point. I still want to know how it happened and how the employee who's got to have very high level permissions managed to give access to the entire system including change user email and phone numbers.
It's not too hyperbolic to say that WW3 could be started on a platform like Twitter. Having a "shutdown" button doesn't seem that extreme when essentially the entire site seems to be compromised. I'd bet my bottom dollar that Congressional hearings are going to happen.
It hasn't gotten so far that heads of states end up in angry loops of escalation (yet). Luckily the only 2 hotheads in that position are Trump and Kim Jong-Un, I would argue and they seem to get along.
Given the nature of how twitter has influenced elections, why would this be extreme? So far the known targets all appear to be of a particular political persuasion, but I haven't seen a comprehensive list yet.
I don’t, they can say anything posing as anyone and the general public will believe it, this is a genuine hazard. Seriously, if I were them I’d pull the plug until this is fixed.
As far as we can tell right now, Obama and Biden could've posted about a complete coup to assassinate Trump and that every middle eastern country already has nukes on their way...
Imagine if the hacker was a bit more nefarious and hacked Trump's account to say he was launching a first strike attack against Iran or on Musk's account saying he was halting Model S production due to battery defect. The real world ramifications could be immense.
a temp fix is to modify the backend to prevent anyone from pasting a bitcoin address or any long string of numbers and letters that may resemble such an address
Cryptocurrency scams have been going on for years despite the fix being an easy "if reply to a high-profile account and contains the words "bitcoin" or "giveaway" then ban".
If they couldn't (or didn't want to) do it then I very much doubt they can do it now.
Not really. That just prevents them from posting bitcoin addresses. They still have access to all the accounts and can post whatever they like. It's still dangerous. And what about all the real posts that contain long strings?
For the specific variation this hack is currently taking, sure. But the actual problem is that someone has access to these accounts and can post anything they want. That is not okay, and has nothing to do with bitcoin addresses.
A bitcoin scam, in the grand scheme of things, is on the more harmless end of the spectrum of what they could do with this. They absolutely should shut it down while they work this out.
If this is the case, the simple bitcoin scam might make sense as a quick way to cash in before an obvious exploit is patched? Compared to the speculation of hidden agendas at least.
I feel like a bug report might make more sense in that case though...
Yep, that won't be a coincidence. Also a bit relieving because this means that probably there was no access to DMs etc. before the rollout of this feature.
Corporations don't do anything unless there is a executive sponsor and business need/attached revenue. Probably they have never needed a maintenance mode, aka self imposed downtime. The only thing worse that unexpected downtime is some manager causing the need to turn on maintenance mode. They would lose their job.
We had maintenance mode at MySpace. We could shutdown any part of the site with feature flags that can be turned on for ranges of users. Very useful for bringing back the site after an outage and allow the caches to fill without overloading the underlying dbs. I am sure twitter has the same, they had scalability issues at the beginning . I guarantee they have a mode to disable posts and mode to disable authentication so they can recover the underlying systems .
Apparently they flow from high-profile accounts. If someone can inject one message across so many Twitter handles, they most likely can inject other messages as well. Like ones tailored to manipulate the stock market, or impacting international politics.
And more generally, always question the authenticity of any information you receive electronically (email, SMS, PMs, websites etc.), as a basic security principle. "Are they asking for something valuable?". In this case red flags are obviously 1. bitcoin, 2. too good to be true, 3. why would these people just give out money randomly.
In the future the scope may grow to include visual and audio communications which could be faked using AI.
From what we know right now, targeted accounts had their emails and 2FA reset via an admin tool. These attacks were noisy, so the window of opportunity for the attacker was small. The attack was launched after hours, likely to limit the chance that the compromised Twitter employee would be around. So market manipulation wasn’t really a great option.
This was basically a “smash and grab” style attack, which makes sense given the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin tool purposely doesn’t allow employees to silently access accounts.
Yep you’re right. My bad. Hmmm... I still think my point makes sense. The “smash and grab” style attack fits given how noisy it was. People were wondering why they didn’t do something far more insidious like covertly gather everybody’s DMs and such. That’s not really feasible when you know your attack is going to get noticed fairly quickly.
True. Also there would have probably been some time pressure to act given twitter employees would have likely noticed logins from strange devices/locations, and raised some flags.
It's called a website. Office holder communicates via his office's offical website. Constituents have email addresses he can email. S/he can setup a slack/zoom/irc channel and have a constituent "town hall".
Tweeting is actually effectively reducing the available bandwidth of communication, and quality of content.
On the other hand, the average person doesn't have the bandwidth to track and follow 50 separate websites for the politicians that affect them....
Like in my case, there's the local village council made of 5 members, theres the town council the village is part of, the county has its own board/council, and then theres the state house and state senate and then theres the US house and US senate, and the finall president.
Agreed. Any public sector institution should be running its own W3C standards-compliant infrastructure (or should be paying someone else to run this on their behalf).
I envision that the current centralized services could be getting into this business if they were to white-label their applications.
Imagine "Twitter, but for your own domain" in the way that G Suite is Gmail and Google Apps for your domain.
Searching for the bitcoin address in twitter gives an absolute ton of results. Are all these accounts hacked, or are people now posting just to joke around?
Then they'll just start obscuring addresses by interspersing them with spaces or posting links to third-party sites containing the address.
It's an unending game of cat and mouse. IMO Twitter's efforts at this point are much better spent on finding out how the hack occurred and cutting it off at the source.
Is it just me, or does this seem suspiciously poorly thought out? Perhaps there is a second stage involving stock plays. The BTC thing might be a diversion.
Or we are incredibly lucky and the exploit was found by people with really bad foresight and imagination.
It's true, but maybe not impossible to pull off. The exploit could've been purchased by people deeply connected and organized. If you split your investment and divert it enough, it will be impossible to differentiate from all the other incoming sales tomorrow.
There are so many smarter moves that probably could have been made though. The upside of this one is that we'll keep speculating for a good while (maybe forever) if it wasn't just a stupid crypto scam attempt after all.
1) shut down api endpoints
2) locked down all verified accounts
3) blocked any tweets with the btc address in them
4) make a statement if they really can't stop it?
Simultaneous compromise leading to tens or hundreds of millions of people receiving the same / similar messages for over an hour from the people they trust the most.
This is the earliest non-deleted tweet I've found referencing the bitcoin address (or rather, noticing that an account got hacked). It was sent at 12:23PM Pacific time (more than 1.5 hours ago): https://twitter.com/lawmaster/status/1283481418518208513
It's astonishing that they can't seem to at least shut the platform down. Have they lost control completely or do they think it's preferable to let the scammers go on than to close shop?
Cryptocurrency scams with fake accounts impersonating verified ones have been around for years despite being detectable with a simple regex. There's no reason to believe this disgraceful company actually cares, although after this incident hopefully they will change their mind.
My wild, unfounded conjecture: the attacker discovered this recently and had only a short, fixed time window in which to run a scam. Maybe the time before some maintenance update? So none of the more sophisticated approaches (like selling to the highest bidder or manipulating some stocks) were practical before the vulnerability would be repaired.
If you imagine short notice and a couple-hour window when US markets were closed, are alternative hacks really that much more lucrative?
Okay here is my mostly baseless conspiracy theory:
As many others have noted, access to the compromised accounts is worth several orders of magnitude more money than the hackers were able to extract using this naive bitcoin scam. Whether it's used to manipulate markets or just resold, the hack is probably worth millions or tens of millions. Is it plausible that hackers who could coordinate and execute this kind of a breach would not know how to maximize the value of the hack and would instead opt for a really naive and not especially lucrative BTC scam?
It is also pretty common knowledge that the activist investor hedge fund Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite some time. What if the BTC scam is a cover for corporate espionage? What if the purpose of the hack was actually to make Dorsey look incompetent in the most public way possible, and possibly turn many influential public figures against Twitter? Elliott Management has the resources to finance a breach like this as well as the motive.
An alternate theory would be that this actually was a form of market manipulation -- manipulation of Twitter's share price.
I think you underestimate the value of this hack — it's really safe.
BTC is transparent but pretty safe and easy to launder compared to messing with stocks which would draw so much heat that it's very likely you'd get caught.
If their goal was to get BTC, why would they copy/paste the exact same message with the same Bitcoin address for every compromised account? Nobody who could pull this off would be that dumb.
for 15 minutes society was perfect, i felt invigorated and had the ability to dream new dreams, and we were all loving friends. and then the blue checks came back.
I'm honestly surprised that Twitter doesn't have some sort of circuit breaking for such gigantic attack towards major accounts. It's a PR nightmare that a circuit breaker would help a bit with, no?
Considering that Twitter has taken a decade and not managed to create a functional web media player, something like a circuit breaker is probably low on their priority list.
I still haven't figured out the correct way to watch a video on twitter. I always have to mess around with the mute button, seek back to start of video, etc.
On Chrome, it won't even load up most of the time. Press play and it shows a "failed to load media" error message. I have to refresh the page to get it to work. I've completely stopped playing any media on Twitter.
Twitter and Reddit's tech incompetence absolutely baffles me. How are billion dollar companies not able to make functional video players?
I have a question to ask you all. If I wanted to study things to get to the point where internally/externally I could coordinate a hack of this magnitude, what things do I need to study? What are the technical things needed to pull something like this off? What are the social corporate things I needed to know to pull this off? I know that we don't have specifics, but I'm asking as a pure academic exercise how much I'd need to know to pull this off, and how to get away with it too.
Unfortunately majority of big breaches like this are a result of social hacking rather than some computer science magic. However to answer your question of how much you'd actually need to know? Decent networking and system understanding as well as how to apply this knowledge in reverse engineering. Finally you need loads of luck. Most of penetration testing is just throwing existing things at the system and generally looking around for flaws and if you're lucky you might just stumble on something valuable.
Well that's what I'm asking about. What social hacking principles possibly were used here? What is the understanding that the attacker has about the people inside the company and how security is at companies like this to pull off a breach like this?
My bet is on some kind of client/marketing platform that all these accounts gave write permission to.
Edit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.
Wonder if this could have been done by a rogue employee at Twitter? Since they are working from home during COVID, wonder what internal controls they have? I know some wondered if they used serveral high profile accounts, why not the presidents then? Well Twitter put extra protections on his account after an employee on their last day decided to suspend his account for 11 minutes. So if this isn't an hack and done internally that might be a clue.
I was surprised Apple especially got their account hacked, since they are big on security as a company. I know with Facebook a page can have multiple person accounts managing it, but I don't believe Twitter ever had such a thing unless more recently... So if you want multiple people to manage an account you'd use a special tool or just share the login info between your social media team.
I kinda feel like if you have to commute to an office, maybe more accountability as I'd feel someone might be looking more over your shoulder but I'd depend if someone gets private offices or a more open office design.
It's amusing that this is so successful only because of all the people posting their triumphant screenshots of success in losing all their money.
All it takes is 100 gullible people to net $100k, and there's a lot more than 100 gullible people on Twitter.
And it all happened in the span of 20 minutes. Can we expect any better response in the hopes of preventing this next time assuming all the accounts are hacked already? Or does the nature of realtime media and hundreds of bored eyes sitting on wads of cryptocurrency getting to it first mean it's just game over?
I remember the golden days of messing up people's lives over digital terminals, where the most they'd do was wipe your harddisk or warn the user of something vaguely ominous on the third Tuesday of April like "the Reaper's gonna get you" or play an 80's Top Ten number rendered through the PC speaker all of the sudden scaring you to death.
From here on out it's always going to be about money, and to me that's just boring and sad.
Should Twitter start supporting cryptographically signed messages? In any case, I wonder about the legal ramifications of this kind of event, for Twitter and for the individuals that have been hacked.
There is no loosing in doing so: just put a padlock on verified mesages and show the signing key. If the message sounds fishy and it's not verified then you should start worrying.
We've had the technology to avoid these sort of issues for decades and it's a shame it's still largely unused. Yeah, I know the argument PGP usability is really bad but it doesn't mean Twitter or other network used as official channels can't provide their own friendly interface and start signing/verifying messages, they certainly have the resources.
It's a very very loud attack, no doubt. But how sophisticated it's? Probably not as much as many think. As early reports suggest the attack was done via a stolen employee's token, it suggests the attacker has access to the employee's web browser. Potentially some malware extension that silently sniffs traffic to twitter?
Has Twitter's forever WFH policy resulted in this Zero Day Vector or Whatever it is!
Which has resulted in Hacking of So many big Accounts and Bitcoin Scam?
An incredibly number of people in the entire world who have seen these tweets, and currently, 5:16 eastern, shows 271 transactions.
Not like everyone who sees these tweets has bitcoin accounts, but less than 300 falling for the fake tweets is such a small number in terms of populations.
It's common to "seed the tip jar" by transferring some of your own BTC from another wallet to the public facing one. So that number should be treated like a ceiling.
Twitter allows users (typically companies) to "promote" tweets, causing them to be seen by users who are not following the account, and hence would not typically see the tweet.
When a user promotes a tweet, they are given the option to hide it, so that it won't show up to users who are following the account directly, or who are looking at the account's profile. This is so that (for example) a company that posts a dozen different variants of an advertisement for different markets won't have all twelve of those show up on their profile page, or on the timeline of any user who's following them.
Apple, for whatever reason, seems to set the "hide this" option for every tweet they post and promote. Why? Beats me.
Hours in, seems the vulnerability was not yet patched but simply blue-checks had posting rights pulled. Only non-verified accounts have been posting the wallet key for a while now (search new to find them).
I know it's easy to judge from afar but I can't believe they're leaving the site up during this.
I couldn’t imagine this being anything other than misdirection. All major registrars do anonymization for free as an opt out. You can manage to fully compromise a giant company but are stupid enough to untick aN important box? Not likely.
I have a couple of services that run on twitter API and they have all been suspended in the last half hour. They are definitely in damage control mode.
Recent update: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
Shameless plug: All the companies(Google, Microsoft...) are telling trust us. But, I believe that we should trust us instead of relying on third parties. They always change when businesses interest changes. This is where web3 is coming to play. Technologies like IFFS, safe network are coming. Looking at the scale issue, I guess this web3 takes at least 5 more years. But, this kind p2p technology is possible with small-scaled mesh. Mesh networks within our devices or families. From the beginning, I hate the idea of storing passwords in the third-party password manager. Later, I fell into the same trap because a managing lot of passwords is difficult. So, I building an open-source p2p password manger. Replicates the passwords within your devices, instead of storing everything at the vendor's cloud. It's half-way for the closed beta release. I would like to hear everyone's feedback on this idea.
Isn't it obvious? All the hacked accounts were fake accounts from the start managed by twitter employees who fill them with content every day to simulate an active social network. The hack just revealed that Twitter in fact rules the world and all these other companies, billionaires and celebrities simply don't exist.
Imagine for a moment that this ends up being something state-sponsored or that twitters entire DB gets dumped, private accounts and all.
This could have a profound impact on governments who want to target dissidents if somebody for example, only felt comfortable criticizing their government from a protected account...
Based on this, a metric fuckton of small accounts are posting this as well right now. Unless you hacked the backend I don't see why you'd bother with 200 follower accounts.
Where is the proof someone got access to the backend and not those specific accounts? Seems more likely an API client got hacked, possibly one that high profile people might use like a tweet scheduler, but not Twitter, given their threat profile and resources. That would explain why 2FA accounts were affected.
There's no proof since there's no official incident writeup yet. For now there's just Occam's razor since majority/all of those accounts will be 2fa protected.
Yes. Also, we're about an hour in now, and Musk's account just sent out another tweet after the message had been posted and deleted several times. At this point, if it was just an account compromise, someone would have reset it by now
I was thinking the other day about a digital signature for limited character tweets.
Provided I’m not a cryptography expert and you should explore my ideas with caution, why not even just sign every tweet with an ed25519 signature? It’s on 64 bytes tacked onto the message and easy to verify...
Seems like it would be a nice feature for security-minded folks, and would probably be pretty difficult to roll out to regular consumers. Does Mastodon have something like this? Sounds like something their userbase would appreciate.
You could literally dump the signature in at the end of the utf-8 tweet. A tweet can contain about 500 bytes, the signature is 64 bytes; encode it using utf8 characters and you got plenty of room room for a message and a signature
I’m honestly surprised this isn’t common already in the crypto space and kinda wonder if I’m missing something
For sure, the hard part isn't building it, it's getting people to actually use it. The amount of effort involved of actually acquiring and transporting a hardware security key is well beyond what most "normal" people are willing to do.
Plus, reading your example in a different comment, it's completely jarring to someone who isn't used to reading things in that format.
I get why everyday users don’t use it but why doesn’t an org like coinbase? Yes the quick and dirty poc I built in 5 minutes is a bit jarring but it could easily be adjusted so the beginning of the tweet reads like it normally would and the end is the cryptographic signature nearly separated from the main message.
Putting tweets on a blockchain would make it very difficult to delete them or edit them but offer no more certainty than a regular tweet that includes a signature verifiable with a known public key of mine.
I just don’t don’t want someone impersonating me on any one of the many random website I have a profile where anyone with access to the db can write whatever they want under my name.
About $110k in the address. Honestly not that impressive for a hack of this scale. I wonder what they could have gotten if they reported this for a bug bounty instead.
Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until market hours to use it."
Back in 2013 when I was working at Sky News, the person responsible for the social media accounts (with millions of followers in total) stormed into a meeting: "Our Twitter account has been hacked".
This was at a time when many high-profile news Twitter accounts were hacked by so-called "electronic armies" who published damaging tweets. However in our case it was a single obscure "Colin was here" tweet.
We had recently built an internal endpoint in one of the backend apps that takes a string and publishes it straight to the main breaking news Twitter account. This was integrated with a custom UI tool that the news desk people used to quickly break a story across TV, Twitter, the website etc with one click.
I had a suspicion that this endpoint was how that tweet was published, but could not prove it. Many thoughts were going through my head.. “is this an internal job, or did someone hack our backend system and somehow figured this out etc.. “
We quickly returned to our desks, and straight away I greped our logs for "tweeting" as I developed that feature and was sure we logged that when the endpoint is called, but in the heat of the moment forgot that to “-i” as it the log message actually contained "Tweeting" (which cost us a few minutes). In the meantime there was panic around the business, people were putting out PR statements just in case it was a real hack, the tweet was deleted etc.
Finally, with help from colleagues, we tracked down a "Tweeting" log message around the same time the tweet was published along with the HTTP request source IP, and traced it (just like in movies) to our secondary news studio in Central London. This is when one of the managers shouted "I know a Colin who works there, he's a testing team manager!".
We gave Colin a ring to understand what was going on, he had no idea about any of this but said he was doing some DR testing earlier of all tools that editors use, and wasn’t really aware this would go out. As you can imagine, it could have been much worse.
The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed on the internet, where many people were worried about the welfare of "Colin", and it was picked up by various [1] news [2] websites.
Their reputation and the post-mortem/cleanup effort of this hack already wiped out a significant chunk of their advertising profit. Taking down the platform for one day would be a drop in the bucket in comparison.
They are causing extreme damage to lots of high-profile people's reputation every second the platform is kept active. I wouldn't be surprised if lawsuits appear as a result of this. Taking down the entire platform would be safer and would at least stop the damage.
This "send me btc to send you more btc"scam has been happening for the past few months and Charles Hoskinson (https://twitter.com/IOHK_Charles), founder of the Cardano blockchain was warning about this issue for a while, he mentioned his team was trying to get in touch with twitter and youtube to stop this and these companies have let this slide for a while.
> “I am giving back to my fans. All Bitcoin sent to my address below will be sent back doubled.”
So Twitter is the real-life Jita local chat? Does this also mean BTC is as meaningless as ISK, that people are willing to gamble it on a doubling scam?
This reminds me of 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
Wouldn't it be possible to block this attack by flagging all tweets containing the Bitcoin address in question? I would've assumed that Twitter could do something like this, maybe even already set up an automated system.
Treating the symptom and not the cause. The scam itself is (arguably) less damaging than whatever the hacker(s) can do with the access they've obtained.
Block bitcoin addresses, and they'll move on to different types of messages.
I am sorry but either from the article or discussion here, I am not exactly clear what has happened. Can someone explain ? Meaning did the user accounts on Twitter got hacked or the actual company websites ? Or both ?
At this point, no one really knows much other than that they've managed to get several prominent Twitter accounts to post scam messages. There were also replies posted and tweets pinned and recovery emails reset, so the attack seems deeper than just "ability to post a new tweet".
Some accounts were protected with 2FA, so it probably is some exploit in the API which affects many accounts (possibly all?), some intrusion in the Twitter infrastructure, or some exploit which allows people to hijack accounts. But that's really just an educated guess.
Considering it doesn't seem fixed yet, I'm not even sure the Twitter people have a complete understanding of what's going on yet.
They are posting to almost every other account, high profile or not. Its a massive spam, too much users to be a password steal.
About the client, they are post from accounts that have only used "Twitter for Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in the past
The BTC address used by the malicious actors has received ~13 BTC so far. That's around $120k in value at the time of me writing this comment.
Not sure if such a massive, simultaneous hacking operation makes sense for ~$120k worth of BTC. As other commenters mentioned, postmortem of this one should be interesting.
Worldwide verified accounts are now disable (can favorite and retweet but not post messages), and I imagine that soon we'll see unverified accounts also being targeted.
Obama just tweeted out the same thing. It seems all of twitter has been hacked. The post mortem will sure be interesting. Also interested in how TWTR gets affected.
Seems to me twitter should hire some humans to sit there and manually approve every tweet by all VIP accounts before they go live. How hard could that be? If that’s all they do you’re adding maybe a 30 second delay to every VIP tweet and you’re pretty much guaranteeing that this doesn’t happen again. Unless of course the hackers somehow inserted the tweet directly to the database and bypassing any such measures.
That will not help, as the imposter could post a sane tweet impersonating the VIP. The person checking would not be able to identify if it's the VIP or the imposter.
The point is to screen outrageously out of character or dangerous tweets, for instance Hillary Clinton giving away bitcoin, or a politician declaring war on another country. Something timid or benign slipping through is not that big of a deal.
People who don't want scrutiny from their old tweets want an easy way to delete/wipe their tweets. There are a load of software out there that claim to do this. They all relatively take over the oAuth chain, and do the needful. But one of them does it as if you were in your browser. As to not give away information about the user's phone/type/version.
It's so easy for a Twitter user to use a a later compromised 3rd party app, only having to press a button to authorize the entire oauth chain. Look at hosted packages or artifacts in dockerhub, GitHub, ruby, pypi, etc. Malicious things like this are everywhere, dormant on systems until the right group can leverage against end users. Imagine if tweekdeck was compromised.
I can't imaging some of those hacked people not having extremely good security habits. 2FA, long unique ramdom-generated passwords not used anywhere else, and secured phones that would be hard to do a SIM swap on.
Which leads me to believe someone has really hacked twitter in a bad way or there's someone on the inside helping them.
Funnily enough, the Tweet made me immediately think whoever wrote it speaks French natively. In French grammar, there needs to be space before any punctuation with exactly two parts (e.g. ":", "!", or "?"), and it's a common error for French-natives to do the same in English.
My original comment was deleted, so I'll try this again.
I've read the comments here and quite surprisingly there are a lot of folks saying that the value of this hack isn't worth more than roughly one year's salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.
Anyone with this kind of exploit could have sold it, moved to Russia, and received immunity from extradition. Secondly, people should be scrutinizing any moron willing to give away thousands of dollars to billionaires for a promise of a 2x return. Especially in these times.
So, reason can only allow us to arrive at a most likely cause. That this was indeed an inside job. It was not about money. It was not a security flaw. But rather, it was simply a group of employees that were unhappy with Twitter allowing the federal government to investigate bad actors on the platform behind closed doors.
I could imagine a faked tweet attributed to Trump that could immediately begin mobilization in other countries to prepare for war. There are several fake tweets from the Bezon/Musk I could imagine that could credibly send the stock price of AMZN down by 10%, TSLA down by 50% in a matter of minutes.
Attacker(s) could profit immensely if they had leveraged short positions cleverly placed.
Users losing a few hundred thousand is getting off light considering the severity of this attack and how much worse it could have been.
According to Blockchain.com, more than $100,000 was received at that address about an hour after the first hack, which appears to have tricked more than 350 users. https://archive.vn/QOp4M
This may be the last straw that tips politicians over into considering Twitter & co utilities - stuff that the gov has a say in running because failure is unacceptable to the public.
Not that I think the gov could do a better job, but that doesn't stop them elsewhere.
I am not familiar with BTC markets. How would they be able to collect? Wouldn't everyone be watching that wallet like hawk, making it impossible to withdraw without revealing their identity?
There are many exchanges and services where you can sell BTC for XMR (Monero) without revealing your identity. And with Monero you cannot trace addresses or transactions.
I believe no sane service would accept BTC from that address. It is now "stained" and every other address it touches will be too. There are systems that automatically monitor for such scams so it is quite hard to launder $100k.
Instead of taking a screenshot, archive Tweets with https://archive.is/ before they disappear. (The Wayback machine doesn’t work with Twitter due to robots.txt)
What could have been the best prank of 2020 wasted on a bitcoin scam. If it were me, I'd try to start a war or two as the ayatollah, or maybe make some unplanned celebrity trump endorsements. Wasted potential.
I believe OP meant that the attackers got access to the account by hacking SMS, thus getting the verification code and legitimately logging in the accounts.
Twitter support tweeted: "We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly."
The screenshots seem to show accounts shadow-banned, something Twitter denied doing for years... I am referring to those labels showing banned from search, etc. Seems interesting.
Some reports that this was related to compromised OAuth tokens. How would someone know and what is the source of the compromise? A third party app that all of these accounts use?
It's really strange to claim it was "simultaneous" account hacking instead of Twitter being hacked. I guess all journalism today has 50% opinion in the middle.
These hackers are clearly amateurs. If you're going to post crypto scams on hijacked Twitter accounts you can't NOT include John McAfee's account. Seriously.
Everyone here is suggesting a monetary motive. Maybe there's a political motive--someone who really hates Twitter or serves to benefit if Twitter suffers.
dang, if you would collapse all threads by default and only show/load top level comments, you probably would not even need this performance workaround. On the first page of your performance workaround, there was only 4 top-level comments... probably less than 100 total, I would guess (for most posts).
All in all that looks like a poorly thought out attack. So much more could've been done than cryptoscam.
Considering execution, it may be that this is some API 0day which does not show (or make it hard to guess) which account messages are being posted from. How else would you explain neutral messages for all account when you could've personalised it per account to maximize efficiency.
When I posted my comment the title simply read "twitter compromised". I'm not sure if the exact nature of the attack is known, but it definitely wasn't at the time.
How did they possibly steal Elon Musk's Twitter account? We need a post-mortem on this because if he can be phished, then we need to know how, and if it was some internal hack then I also need to know how. That's extremely scary!
A lot of people (rightly) pointing out that the actual exploit payload here is a horribly inefficient way to monetize such awesome power. Some of the replies that influencing regulated markets would be traceable...sure, but trillions of dollars flow through these markets each and every day. A decently large options position accumulated over days wouldn't raise any red flags, and one tweet about the Fed raising rates on the back of strong employment + vaccine hope would have sent markets into a tailspin. The reality is that it would be much more difficult to identify bad actors than it is with public crypto addresses. And your money is clean at that point, part of the US financial system (or other tier 1 banking system).
So... What if this is just massive distraction for a Twitter content manipulation of some sort, like making some tweets disappear or incriminating some people with malicious content?
I've seen the groundwork for this over the last 6-8 weeks, with 'people' (questionable-looking accounts) retweeting screenshots of similar-looking tweets purporting to be from Elon Musk, and other similarly fishy accounts going 'wow it really works' or the like. I noticed them showing up consistently in replies to Trump tweets, probably just because they get tons of engagement.
Those have been going on for years. They clearly demonstrate Twitter's incompetence (which seems to have culminated today) since they were very easy to filter out with a simple regex, but I doubt they are related to this attack.
So, does no one think this was China doing a 'we can do what we want when we want' as a response to Trump's executive order the day before this happened? And if it is, would they be honest about the cause since that would require a response and likely an escalation?
Just imagine if Trump’s account were hacked to indicate that the US is launching a missile towards North Korea. Or maybe a message to encourage some kind of armed uprising in the US.
Hacking the right Twitter account could easily have massive life-and-death consequences. Isn’t that terrifying?
I find it fascinating that they didn't target @POTUS/@realDonaldTrump. I wonder if there are specific mechanisms in place to protect accounts that could, y'know, start WW3, that aren't rolled out to other blue checkmark accounts.
I don't think anyone appreciates how scary this is. A simple BTC scam or even market manipulation is one thing. Can you imagine the mass panic if there were one sombre tweet from Trump's account about a nuclear strike?
I have heard that Trump's account has extra protections around it that presumably prevent even staff from accessing it, in which case if this was a staff account compromise it would make sense that they can't touch Trump's account.
Another possibility is that they are indeed just after the money and compromising Trump's account would prompt a faster response from Twitter (possibly taking down the entire account or platform) and reduce the effectiveness of the scam.
Trump's account might have been the final one targeted, locking the attacker out from messing with any additional accounts. If a Twitter employee is messing with famous accounts in an unauthorized way, automatically stopping the employee would be reasonable.
I've heard of this feature existing with the software used by phone companies and hospitals. Employees who poke around looking at famous people soon get locked out of the system.
Perhaps Twitter has additional security around his account? An IP whitelist? Perhaps the President has a special version of the twitter client that includes additional authentication? Twitter is no fan of the current president, but it seems plausible for national security reasons.
I really HOPE the details of this hack become public, because this is huge. (I can already hear celebs who say dubious things trying to claim they were hacked.)
I've never heard of Hacker News censoring comments that do not abuse the site guidelines, with rational opinions. This comment thread is being heavily censored. This fundamentally abuses the trust that users have put into this site.
Your comment was deleted because you yourself deleted it. "Hacker News" hasn't been censoring anything.
Is it possible that you thought your comment was removed because in fact it was on one of the later pages of comments? That is simple pagination. I tried to tell people about this by pinning https://news.ycombinator.com/item?id=23853229 to the top of the first page.
https://news.ycombinator.com/item?id=23851275&p=2
https://news.ycombinator.com/item?id=23851275&p=3
https://news.ycombinator.com/item?id=23851275&p=4
Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.