Late Friday afternoon, a group of hackers gained access to Twitter CEO Jack Dorsey’s account and tweeted plugs for the group’s Discord server and a series of offensive messages to the account’s 4.2 million followers.
Within 15 minutes, Dorsey had regained control. The group, known as Chuckling Squad, was banned from Discord. The tweets were deleted. Things seemed to return to normal.
While Dorsey’s account may no longer be sharing offensive tweets, the ordeal stands as a reminder that even high-profile accounts can have serious vulnerabilities. And in this case, that vulnerability was with phone-based authentication.
According to The Verge, that’s how Chuckling Squad gained access to Dorsey’s account. Twitter’s text-to-tweet service, which is operated by the acquired service Cloudhopper, allows Twitter users to post tweets through SMS messages. If you add your phone number to your Twitter account, you can post tweets to your account by sending a message to a shortcode number.
The thing is, many people have their phone number connected to Twitter, either for security verification or simply because when you sign up for a Twitter account, it asks you to put in your phone number by default. (Users can switch to email if they prefer, but people tend to roll with the default option.)
All this means that control of a user’s phone number is enough to post tweets to their account. And in Dorsey’s case, it was a lot easier than you might think.
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.
— Twitter Comms (@TwitterComms) August 31, 2019
A Twitter statement about the hack notes that a “security oversight” by Dorsey’s mobile provider allowed the hackers to gain control. The type of attack employed by Chuckling Squad is usually known as ‘SIM hacking,’ and often involves tricking a carrier into assigning someone’s phone number to a new phone controlled by the hacker.
An old trick lets Chuckling Gang tweet from Dorsey’s account
According to The Verge, this isn’t a new technique, but it’s often used to steal Bitcoin or high-value Instagram handles. That said, anyone with a phone could be vulnerable to SIM hacking. With the prevalence of phone-based authentication techniques, SIM hacking is a favourite tool for malicious actors. You can protect yourself by adding a PIN code to your carrier account or by using a dummy phone number for online accounts. However, both options can be a lot of work for the average user.
Chuckling Squad, for example, has relied on this trick before. The group previously targeted online influencers. The Verge notes that the group seems to have a particular trick with U.S. carrier AT&T — which happens to be Dorsey’s provider as well — but it isn’t clear how they gained control of Dorsey’s number. AT&T didn’t respond to The Verge’s request for comment.
Unfortunately, these kinds of attacks go well beyond SIM hacking and Chuckling Squad. Dorsey was the target of a similar attack in 2016, which manipulated third-party plugins to send tweets to his account.
Fixing these issues wouldn’t be difficult for Twitter. For one, the company could move away from requiring phone numbers for security verification. Alternatively, it could make its text-to-tweet service more secure. But considering the company has now failed to secure the CEO’s account twice, it’s questionable if it will do anything at all.
Source: The Verge