The Twitter “hack” is almost a month old now, and although I didn’t cover it at the time, it’s still a good opportunity for some lessons about security. I deliberately put hack in quotation marks because there are no doubt people who don’t see social engineering as “real” hacking.
Quick background for those not familiar with what happened: Hackers used social engineering to gain access to an internal Twitter employee administration tool. High-profile accounts were then used to tweet out a cryptocurrency scam (send me x amount of cryptocurrency and I’ll send you twice as much back in return). There was initially speculation as to whether Twitter employees were complicit (being paid by hackers for credentials to the admin tool).
Many articles on the Twitter hack focus on the hackers and the hack itself, but more alarming to me is the level of access and control this admin tool gave Twitter employees over individual peoples’ Twitter accounts. More surprising to me is the fact this didn’t happened sooner. Other sources have revealed - or rather speculated, that Twitter censors people who don’t have the “correct” opinions. This hack has provided further evidence of this claim through leaked screenshots of the admin tool. If you want more information about the censorship Twitter engages in, I recommend watching Project Veritas’s video: HIDDEN CAMERA: Twitter Engineers To “Ban a Way of Talking” Through “Shadow Banning”. For now though, let’s dig into the security implications!
The most glaring security issue is Twitter giving unprecedented control and access to employees over peoples’ Twitter accounts. While it is not a technical security hole, giving this amount of control to employees is asking for trouble. Twitter now claim they’ve, “significantly limited access to our internal tools and systems”. We can further dissect the statement by asking what ‘limiting access’ means. Does it mean fewer employees have access to the tools and systems? Or does it mean Twitter have restricted the capabilities of said tools? If we look at the tweet prior, referring to the ‘tools, controls and processes’, Twitter states, “we are taking a hard look at how we can make them even more sophisticated”. This to me sounds like the Twitter ‘powers that be’ have decided to double down and run in the opposite direction of the KISS (Keep It Simple, Stupid) methodology. I’m sure it will have no negative consequences - we all know that making things more complicated always solves every problem.
Giving this level of control to Twitter employees goes against Saltzer & Schroeder’s principle of ‘least privilege’, which states that, “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.”1
Twitter appear to be making small steps in the right direction, however they are reactionary. Twitter could be better served to be more proactive in order to be more in sync with problems that may arise from their current policies.
Want a good laugh? Check out our other blog created entirely by artificial intelligence (AI).
We've done the research, so you don't have to!