The Twitpocolypse


Some time ago about a year ago, or maybe two years ago, twitter introduced time based one time passwords google authenticated as most people know that mechanism where you have an authentic eater APP on a mobile device, and that gives you six digit codes to log in as to factor, which is much more secure than SMS SMS of course can be hijacked if your Sim Card is hijacked, so a lot of people were speculating all of these different methods of attack to me. It seems unlikely that accounts that are very familiar with some checking because. Because it happens a lot in crypto and has had a lot of high profile. Reporting would have SMS. It also seemed unlikely that even if they did that, someone was able to Sim Jack phones from big accounts across two different continents, at least because some of these accounts are china-based or singapore-based, some are europe-based. Some are a us-based that involve several different phone carriers in different countries all done within a matter of hours. It seemed to me very unlikely that I would be the case so assuming that they did have hardware two factor authentication. Or at least an authentic eater op, you can't really steal a password. That's not enough. So then, if the account security is likely to be quite secure, what are the other avenues someone can get in? The next most likely mechanism of attack would be API's so twitter has API's that allow various social media, aggregate or sites to post so that whole team of people can schedule and review and posts to multiple platforms similtaneously I. Use platforms like that, too. It allows me to work with a team of people and collaborate on what we post and schedule it out in advance. So. When you see a personal message from me, his personal, but when you see an with like I'm doing this video on Saturday, you know that's scheduled in advance and it's posted automatically. Are, not sitting there, attaching images and typing in Hashtags in real time. These services of course access the twitter API using off which is a nation protocol. It's the same protocol that's us when you log into a site using your google account and it redirects. You gets an encrypted challenge response message from uses that antedates into sight. And these gain full access the twitter time and presented in some of the site. You're probably familiar with things like hoot, sweet and buffer, sensible and various other sites like that now. These sites are not always as well secured. So that was my immediate suspicion. Because from there you can easily post the message, and if that site security isn't a strong with two factor, etc, I assumed. had been compromised than because there are only a handful of social media postings services eight. It was quite possible that all of these disparate companies were using the sang. Then the attack continued to escalate. One of the things that was noticeable was that the tweets that will come out? Were saying twitter web APP. Now when you have an off service that is posting remotely through the API. It has a clear identifier, says twitter for iphone, says hoot suite, it says some social media, posting or something like that. It doesn't say twitter web up. So my immediate suspicion was that this was a browser extension again much easier to compromise it. Browser extension that is a common single point of failure across all of these different accounts, and would have access to twitter web API to post on behalf or maybe sore credentials for users. There are a lot of sloppy browser extensions out there and then people started talking about the possibility of zero day browser exploit now. That'd be a very serious problem. Because Zero Browser, exploit effectively means that someone was compromising browsers through some click through mechanism, revolt, execution, or something like that and hijacking credentials from inside the browser secure store. That's a very serious. Because I would affect not just twitter, but then again it was only happening on twitter. And why would you use a zero day? Browser exploit that can be enormously powerful to hack only one site twitter, and then to use it to do this silly. Nigerian scam. I'm using the term Nigerian scam because Nigerians have anything to do with us, but because this type of scam originated with the Nigerian Prince Story, I mean it's a story, actually the we've seen repeat over and over and over again for two decades exactly I was reading through some kind of gaming coverage of this and many of them are likening it to scams that. That have been pulled in Yvonne Line, which is a popular sort of Laissez Faire, M., o. and ruined scape, also, which is really like a mostly for kids type of environment, and again like seven years ago. Apparently there was a rash of this type of give your money and I'll give you double back and again of course in crypto currency. We've seen this since.

Coming up next