Read on Twitter
Yikes, strongest hypothesis is that the attackers have owned Twitter’s employee admin panel which allows Twitter employees ability to change pw/disable MFA to allow an attacker to take over a prominent account and tweet on their behalf without dealing with their password or MFA.
If that is the case, I’m hoping companies all over the world learn from this example: attackers can’t leverage these tools if your employees don’t have back end access to make these account changes. Reduce admin privileges now.
And to be clear, anyone claiming to know with absolute certainty likely does not. This is just the strongest hypothesis I’ve seen thus far, which I’m sharing so that folks don’t wrongly lose hope in MFA security (which is unlikely in this scenario).
In regards to an attack on a social media scheduler, app, api, or tweet manager, that is of course possible, but my best guess is that if that were the attack vector that the tweet source label on each compromised tweet would list that manager. Like “tweetdeck”, for instance.
I'm a hacker who uses this attack vector in pentests and my guess is this is likely a system AND human process issue. Helping orgs avoid this *very* scenario & reduce the level of access I could get if I own an employee's environment is common -- which informs my hypothesis here.
Lots of additional ideas, figured I should address them:
- "Everyone should turn on MFA!" (I agree completely! But that is likely not the issue in this specific attack, but yes)
- "Looks like SIM swapping" (Unlikely that all those prominent accounts don't use MFA hardware tokens)
- "Everyone should turn on MFA!" (I agree completely! But that is likely not the issue in this specific attack, but yes)
- "Looks like SIM swapping" (Unlikely that all those prominent accounts don't use MFA hardware tokens)
I know blue check @kevincollier can’t tweet out his piece with me and others right now for @NBCNews so I’ll do it for him: https://www.nbcnews.com/tech/security/suspected-bitcoin-scammers-take-over-twitter-accounts-bill-gates-elon-n1233948
Also going live with @RichardMadan of @ctvnews in 7 minutes, if you want to tune in to hear live discussion there.
Folks are wondering "if your hypothesis is that an attacker could gain access to an admin panel, whose to say it's not an insider threat attack!" To that I say -- it absolutely could be! We've seen employees at FB use internal tools to harm others, & happened at Snapchat, too.
Another strong hypothesis to add to the short list of hypotheses. Thanks @evantobac for this one. https://twitter.com/RachelTobac/status/1283550225584381954?s=20
Thanks @rachelerman @washingtonpost for reaching out to talk through hypotheses for the Twitter hack. Appreciate you chatting with additional folks in the security space on this topic! https://www.washingtonpost.com/technology/2020/07/15/musk-gates-twitter-hack/
And to close this loop. Turns out my hypothesis was correct. Social engineering attack to gain access to internal credentials and carry out attack on internal Twitter admin panel. https://twitter.com/twittersupport/status/1283591846464233474?s=21. https://twitter.com/twittersupport/status/1283591846464233474
Twitter confirmed my hypothesis and now mitigating like I and others say recommended: limiting employee admin access. The more employees who have access, the more people I can social engineer to carry out my attacks. https://twitter.com/twittersupport/status/1283591853955219458?s=21 https://twitter.com/TwitterSupport/status/1283591853955219458
After Twitter reduces admin access privileges for the majority of employees, the next step is to require hardware MFA to secure their admin access. I understand admin access exists for a reason, and I know people don’t like it exists. Securing access to it is a must.
Also, interested to hear more about the possibility of an insider attack leveraging said admin panel to carry out this attack. Either way, admin privileges are an issue, and the human element is involved. Huge story by @josephfcox. https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos
Do I consider paying an employee to access their admin panel to be social engineering? Nah, that’s more like an insider threat — still boils down to a human element, admin panel based attack & admin privileges issue though, rather than SIM swap, MFA, or API issue, for example.
