More than 1k people at Twitter had ability to aid hack of accounts

<i>accounts with more than 10,000 followers should at least need two people to change key settings</i><p>For accounts that could start a war this might be necessary, but for celebrities with &gt;10K followers this sounds expensive and unnecessary to me.<p>To me, it seems like you could instead ensure the admin view of every account has a timestamped log of recent settings changes, including changes done by admins, with a link to the profile of the admin responsible, and a button to suspend that admin account with one click.<p>This way, the security team could&#x27;ve seen that Elon Musk&#x27;s account had just been reset by J. Random Employee minutes before tweeting the suspicious bitcoin tweet, messaged J. on Slack to be like &quot;hey did you do that?&quot;, and suspended the compromised admin account within minutes.<p>Sure, some accounts might be briefly compromised initially, but it would be resolved in minutes and not the <i>hours</i> that it took Twitter, right? That seems fine for what <i>should</i> be a relatively low-likelihood, high-expense attack like compromised admin account (of course, you have to ensure that is the case).

For comparison, at Google in 2011, I was one of ~10 or so engineers that had the ability to view private Gmail or Gplus data (access that was heavily documented and audited).<p>That being said, Google did have to go through it&#x27;s own public humiliation [1] to put a system like that in place.<p><a href="https:&#x2F;&#x2F;gawker.com&#x2F;5637234&#x2F;gcreep-google-engineer-stalked-teens-spied-on-chats" rel="nofollow">https:&#x2F;&#x2F;gawker.com&#x2F;5637234&#x2F;gcreep-google-engineer-stalked-te...</a>

Kind of sensationalist. There&#x27;s thousands of people that have the ability to drain your bank account right now. Your average call center employee wields immense power. The real story here is Twitter&#x27;s lack of spear-phishing training for their support staff, not <i>support employees have access to support tools</i>.

I remember during my time with a large mobile carrier in UK I was told of a person in the company who could in theory read any SMS on the network. Mind you this was literally one person for over 30 million customers. He had a high security clearance, extensive security training and the powers vested in him were used mainly to identify scammers and other criminals.<p>Pretty sure this was a requirement set by law - we need someone to be able to do this, but lets make sure they know what they&#x27;re doing. It is very weird we dont place the same requirements on social networks.

I now understand why the bank I work for creates the separation of duties; the person who builds the system has no access to it, and the person with access has no idea how it works.<p>As a developer, it frustrates the shit of out me because I can’t deploy fixes quickly or easily diagnose issues.<p>But yep, there are 3 people that have access to the production databases that hold account info and they aren’t developers, just managers with no clue what to do once they log in.<p>I also worked for a company that sold software to lawyers. We had a feature that would alert the client any time a member of our company accessed their data. I think we called the feature something like “fire call”, because if you tripped it without informing the client, you’d get a call informing you that you’d been fired.

Ha!<p>Did you see in that article that the head of cyber security for AT&amp;T added his two cents in shaming Twitter?<p>AT&amp;T was just in the news recently where employees were accepting bribes that allowed criminals to swap SIMs steal bitcoins from AT&amp;T customers.<p>Unbelievable.

This is why internal tools that can modify account settings and such need to have audit trails.

I created a Twitter account close to a month ago and it was immediately suspended because it &quot;appears to have exhibited automated behavior that violates the Twitter Rules&quot;. Well it did not really do anything yet, even less so anything against their rules. The account is still suspended despite multiple appeals and messages.<p>At the same time, dozens (hundreds?) of verified accounts get taken over. I think their fraud detection systems are total crap.

twitter, seems to have a cowboy engineering culture. that&#x27;s why one of their exec&#x27;s blamed rails for their failure to combat harassment[0]. n I bet now, if they still ran rails, it would&#x27;ve been blamed lol.<p>[0]: <a href="https:&#x2F;&#x2F;char.gd&#x2F;recharged&#x2F;daily&#x2F;twitter-blames-ruby-on-rails-for-harassment" rel="nofollow">https:&#x2F;&#x2F;char.gd&#x2F;recharged&#x2F;daily&#x2F;twitter-blames-ruby-on-rails...</a>

Should there be citizenship requirements for access to customer data at that scale? Background checks? Security clearances?[1] When you have so much private data and the ability to put words into people’s mouths, aren’t you a national security asset at that point? Today it’s some bitcoin scammers, tomorrow it’s Russian or Chinese intelligence. If I was in charge of Russian or Chinese intelligence, I’d make sure that my citizens working inside these companies are using that data to my advantage, or are at least positioned to should an opportunity arise.<p>There is already tons of evidence of Chinese nationals coming to the US to work at these companies with the express purpose of stealing trade secrets and sending them back to China. Why would the Chinese government stop there? How about your personal emails, your Twitter DMs, etc.?<p>Citizenship is loyalty. That is what it means legally and what it has meant in practice. Especially if your family is still in your country of citizenship.<p>Yes, this would mean the international segmenting of the internet, at least in terms of which websites you plug your personal data into vs. “just browse”. This strikes us nerds as awful. But perhaps anything else was just a naive fantasy. The last decade should have shattered our innocence. What happens online matters for great power politics, and great power politics matters a lot for ordinary people.<p>[1] The current security clearance process is at least partly a jobs programs for people with boring, unadventurous youths. I’m not advocating for that, just the principle of a security clearance.

Right, thousands of people with admin access and nobody could help me reinstating my API access....

There is all this talk from those successful companies about security and what you should do with your keys and they open source hardware secret stores and brag about it and they fail at the most basic security operations.

I wonder if they automatically turned off log in with twitter to other websites. Seems like the bigger hole is that they can use these credentials for any people using twitter to log in using oauth.

Worth mentioning only 5,000 people work at Twitter.

This should be a wake up call. Thank god the malicious messaging was only limited to a tiny Bitcoin scam. Imagine if they had pulled this off on the accounts of national leaders to stir hostilities or violence.<p>What is the recourse for this kind of failure? I suspect there is none. Twitter is shielded from lawsuits for its content. If this is provably negligent behavior and resulted in actual physical harm it are we supposed to do nothing and simply hope it never happens again?<p>I cannot fathom what I would do if I were in the position of Timothy Klausutis: <a href="https:&#x2F;&#x2F;www.washingtonpost.com&#x2F;politics&#x2F;widower-of-late-joe-scarborough-staffer-seeks-removal-of-trump-tweets-that-promote-baseless-conspiracy-theory&#x2F;2020&#x2F;05&#x2F;26&#x2F;cf06257a-9f45-11ea-b5c9-570a91917d8d_story.html" rel="nofollow">https:&#x2F;&#x2F;www.washingtonpost.com&#x2F;politics&#x2F;widower-of-late-joe-...</a>

Anyone watched Westworld? The whole enterprise is destroyed (almost) by 2 low level employees. It&#x27;s either a complete blooper in the script or --after I read this article-- reflective of the real world that I don&#x27;t know about. Your take?

&gt; implication that a hostile government might be able to cause even greater havoc.<p>it is stuff like this that make me question the whole article. like yes, obviously this was no &quot;hostile&quot; government since they were just scamming for some pocket change. but also how exactly would this hostile government create havoc with twitter?

well, I worked on a software house that makes software for industry automation. each user of the software has all their actions logged and time-stamped. if you edit something, give a big discount, granted permission, deleted something... it all goes into a different DB filled with just the logs. why doesn&#x27;t Twitter have something like this? am I missing something?

&quot;Only two people can launch a nuke, the president, and the engineer who installed the system.&quot;

Title corrected : More than 1k people at Twitter had ability to aid hack and chose not to.

Interesting

On a different note, online presence is becoming very important and with remote work culture gaining traction, having a good online presence has become a must have asset.<p>I bought a course on building Twitter audience and been able to improve my following significantly from past 2 months.<p>Twitter link: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;sunilc_" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;sunilc_</a><p>If you&#x27;re looking to increase your social presence too, here&#x27;s the course that I found very useful:<p><a href="https:&#x2F;&#x2F;gumroad.com&#x2F;a&#x2F;238777459&#x2F;PBkrO" rel="nofollow">https:&#x2F;&#x2F;gumroad.com&#x2F;a&#x2F;238777459&#x2F;PBkrO</a>