Monday, September 2, 2019

How Twitter’s CEO got hacked - A reminder of this vulnerability.

How Twitter’s CEO got hacked

As ridiculous as it sounds, the CEO of Twitter  Jack Dorsey got hacked last week Friday. The unpleasant surprise lasted for 15  minutes, with the hackers tweeting offensive messages. Twitter has a good security track record and this news was utterly embarrassing for the social media giant.


How it happened

This incident indicates how Twitter's text-to-tweet service is insecure. Twitter users can post tweets by texting a message to a shortcode. The service used is Cloudhopper - basically provides mobile messaging technology. Cloudhopper service allows you to link your phone number to your Twitter account. No need for the hacker to access your Twitter account, this is enough to post tweets to your account. This technique is quite frightening as it is often used to steal digital assets and sometimes Instagram handles. SIM card hacking is the term for this attack. You can prevent any similar event by adding a pin code to your account.


According to a Twitter statement - The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.


The crew responsible for this attack is called Chuckling Squad. This SIM swapping technique has been around for some time and it often works for this group. Dorsey was a victim of a similar attack sometime back. The world has got to know how SIM swapping attacks are prominent and could be a favourite hacking technique depending on how this incident is addressed. In summary, any system that provides a service for a user to tweet can make it easy to a hacker to control the account.


Twitter disables tweeting via SMS




Just days after the SMS vulnerability was exploited on Jack Dorsey's account, Twitter has temporarily turned off the feature. The feature isn't really important as many users don't use it in this era of smartphones.  Twitter made it clear that it is a change to protect users' accounts. The company may reactivate the SMS feature in some countries and work on a long term solution.

Updated:  4-09-2019

More