Friday afternoon, Jack Dorsey's 4.2 million Twitter followers got an nasty surprise. The group of vandals accessed the account and used that access to detonate aggressive messages and plugs into the group's discord channel. Within 15 minutes, the account was re-controlled and the group was banned from Discord, but the case reminds me of the serious vulnerability of the most famous accounts and the situation of insecure phone-based authentication.
Hackers came through Twitter's TTS service operated by the acquired service Cloudhopper. Cloudhopper allows Twitter users to post tweets as text messages with short code numbers (typically 40404). Useful for SimplePhones or if you don't have access to the Twitter app. The system just needs to associate your phone number with your Twitter account. Most users should already have separate security reasons. As a result, controlling your phone number is usually enough to post a tweet in your account, which most users don't know about.
Controlling Dorsey's phone number wasn't as difficult as I thought. According to Twitter statement "security oversight" by the provider allows hackers to take control. In general, this kind of attack is called SIM hacking. In other words, the carrier must be persuaded to assign Dorsey's number to a new cell phone he manages. It's more often used to steal Bitcoin or expensive Instagram handles, but it's not a new technology. It's as simple as connecting the leaked password. You can protect yourself by adding a PIN code to your carrier account or registering a web account like Twitter via dummy phone numbers, but these techniques can be too demanding for the average user. As a result, SIM exchange has become one of the favorite technologies of online troubleshooters. As we know today, it works more often than you think.
This crew Chucking Squad, who was in charge of Dorsey's account. The most prominent attack to date has been a series of online influencers aimed at up to 10 other characters before Dorsey. AT & T seems to have a special trick, especially with regard to AT & T, the carrier of Toji, but I'm not sure how to control it accurately. (AT & T did not respond to requests for comments.)
The history of these hacks is much older than Chuckling Squad or SIM Swapping. A system that allows users to tweet easily makes it easier for hackers to control their accounts. In 2016, Dorsey was subject to a similar attack that leveraged approved third-party plugins, which were often abandoned, but still retain the ability to send tweets to their account. As the SIM swapping technology has become more widely understood, the technology has grown inconspicuous, but the basic goal of drive-by vandalism has not changed significantly.
Still, the incident isn't due to an immediate sortie, it's embarrassing to Twitter. Regain control of the CEO account. The security industry has known about SIM swapping attacks for years and Dorsey's account has been compromised before. Simple failure to control the CEO account is a serious failure for the company and leads to a few minutes of confusion. Hopefully, Twitter will prioritize stronger security than learning from this incident and moving Twitter validation away from SMS, but given the company's performance, many will not breathe.