undefined | Better HN

0 pointsneurostimulant5y ago0 comments

With so many accounts compromised, the hackers might actually have full access to Twitter's backend. The postmortem would be very interesting. I'll be looking forward to it.

Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

0 comments

byteshock5y ago

If they had full access to Twitter’s backend, they probably would be tweeting from accounts like @POTUS or @jack. But this seems like they have access to limited accounts. Most likely gained access to a third party service that allows you to manage your tweets?

Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.

Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.

Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!

benlumen5y ago

You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.

metrokoi5y ago

The POTUS account likely has more additional security than normal accounts.

2 more replies

Thorentis5y ago

I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.

4 more replies

Pmop5y ago

I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.

1 more reply

bollu5y ago

Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

Are you implying that this was tweeted by the attackers? or something else?

byteshock5y ago

I edited my comment, but basically I saw tweets that showed a screenshot of the scam tweet from the twitter support account. Not sure if it’s real since they delete the scam tweets.

1 more reply

VectorLock5y ago

The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`

Especially after the last insider account tampering event.

mlinsey5y ago

I do think it's odd that so many prominent accounts were hit but not Trump's. I remember there was an incident a couple years ago that a trust and safety employee at Twitter suspended Trump's account on their last day. It's very likely that after that incident, special guards were set in place to prevent admin tools from messing with Trump's account. This would align with speculation that this hack targeted an internal employee admin tool.

Krasnol5y ago

Maybe they're POTUS fans ;)

tathougies5y ago

If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno

techntoke5y ago

They hack thousands of accounts and make national news, I doubt they are that worried. They probably just don't have access or they would have.

jmkni5y ago

Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.

eternalban5y ago

"3 people have been sentenced to death for participating in demonstrations. They could be subject to execution at any moment. This sends a deplorable message to the world and should not occur. #dont_execute"

[edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]

benlumen5y ago

Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.

It could be SQL injection writing tweets directly to the database for all we know.

I agree with everyone else saying the site should be pulled. Incredibly sketchy.

VectorLock5y ago

Write through caches would need to send the tweets through the normal channels for them to 'fan out' instead of writing directly to MySQL. But essentially what you're saying about possible backend compromise.

ChuckMcM5y ago

It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.

ChuckMcM5y ago

And now this : A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.

From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

neurostimulantOP5y ago

Hmm, how much money this scam would potentially generates? I think the salary of an engineer working on twitter would be higher given how fast this scam would be shut down. Would a twitter employee risk their career to this scam?

WrtCdEvrydy5y ago

If you can't get caught, it's just some free money... depends on moral compass...

Maybe we'll get a leetcode question out of it, how much should you risk your career for after taking a job at a FAANG?

2 more replies

ChuckMcM5y ago

I would be surprised if it were an engineer, but not everyone who is employed would be an engineer. When I was at Google two fairly high profile incidents were enacted by contractors (one in the IT "TechStop" group and one a data center tech)

alberts005y ago

It might as well be an employee whose devices were compromised.

zelly5y ago

There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.

sleepybrett5y ago

If they did, they would be running the self hosted option.

suzzer995y ago

That twitter buildspec.yml must be HUGE!

whoisjuan5y ago

And it seems that it's still compromised. Tweets get deleted and then they re-appear.

Narretz5y ago

30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.

epanchin5y ago

Crazy twitter can’t pin a warning to everyone’s feed... or just kill the site.

1 more reply

slezyr5y ago

> All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!

> Only doing this for the next 30 minutes! Enjoy.

No, it's hacker's doing, they need to keep timestamps updated

jacquesm5y ago

It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.

rvz5y ago

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.

Its still on going as we type.

kelnos5y ago

> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.

kyleee5y ago

boy I sure hope we get a juicy post mortem, this is quite a scam

misnome5y ago

I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.

tornato75y ago

Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope

Sebb7675y ago

I'm just glad the fallout from this isn't nuclear, to be honest.

libraryatnight5y ago

and yet lots of technical type Twitter personalities tweeting like each individual user got popped. "OMG THEY GOT MR BEAST!" No, they got twitter. I mean its possible, we do not know, but this "They GOT so and so" thing is annoying at this point.

granzymes5y ago

Twitter almost certainly self-hosts GitHub, no?

one2know5y ago

Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.

fouc5y ago

Many larger corporations have strict rules on keeping things like their source code in-house, so that means no external services for code reviews or CI, etc.

justinmeiners5y ago

> current corporate dogma is to not host anything

Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.

2 more replies

brentm5y ago

I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.

Darkphibre5y ago

I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.

kerng5y ago

Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.

Also begs the question, who is liable in such cases....

Scoundreller5y ago

Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).

CleanCoder5y ago

Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.

gowld5y ago

How much will Twitter pay me for it's liability of my hacked account?

1 more reply

ragerino5y ago

It seems like the devs at Twitter are clueless, how this happened.

The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.

ragerino5y ago

Just saw this https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

Means they had someone inside Twitter.

maps75y ago

Why can twitter staff tweet under people's accounts? How does that make sense?

gsich5y ago

Selfhost. If you rely on Github for your service you are rightfully doomed.

gowld5y ago

Twitter depends on GitHub?

sidcool5y ago

Is the root cause and attack vector known?

vmception5y ago

probably a social media manager api keys

celticninja5y ago

I can't see that bill gates, Elon musk and every cryptocurrency channel using the same manager. This looks like something closer to a Twitter hack than an intermediary, especially with the the reposting after deletion.

kristofferR5y ago

No way, it's way too widepread and would be shut down by now.

Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.

jacquesm5y ago

They could have shut these bitcoin giveaway scams down with a single regex a year ago when they first showed up. They let them go and this is the price they will pay. Let's see if someone is going to sue Twitter because 'verified' to be Bill Gates is meaningless now.

1 more reply

neurostimulantOP5y ago

But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.

throwaway432345y ago

Its not hard to believe that a group with the ability to hijack the twitter accounts of some of the world's most influential people could also hijack the "posted by" metadata.

1 more reply

MattGaiser5y ago

Do that many accounts use the same social media manager?

vmception5y ago

I think many people have try several of them before settling on one for their use case, and don't revoke the OAuth.

mtzaldo5y ago

I know hootsuite is a very popular app for managing the social media accounts.

1 more reply

lqet5y ago

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Is Twitter really using GitHub internally (even self-hosted)?

boarnoah5y ago

Is there even a self hosted Github? AFAIK there is no public offering of the sort.

cgk5y ago

Github has offered this for years: https://github.com/enterprise MIT used it for a long time.

AsyncAwait5y ago

There's (was?) an on-premises enterprise version.

dylz5y ago

Yes. https://enterprise.github.com/faq

ry4nolson5y ago

github enterprise i believe can be onprem

1 more reply

j / k navigate · click thread line to collapse

0 comments

byteshock5y ago

Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.

Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!

benlumen5y ago

You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.

metrokoi5y ago

The POTUS account likely has more additional security than normal accounts.

2 more replies

Thorentis5y ago

I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.

4 more replies

Pmop5y ago

I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.

1 more reply

bollu5y ago

Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

Are you implying that this was tweeted by the attackers? or something else?

byteshock5y ago

I edited my comment, but basically I saw tweets that showed a screenshot of the scam tweet from the twitter support account. Not sure if it’s real since they delete the scam tweets.

1 more reply

VectorLock5y ago

The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`

Especially after the last insider account tampering event.

mlinsey5y ago

Krasnol5y ago

Maybe they're POTUS fans ;)

tathougies5y ago

If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno

techntoke5y ago

They hack thousands of accounts and make national news, I doubt they are that worried. They probably just don't have access or they would have.

jmkni5y ago

Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.

eternalban5y ago

[edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]

benlumen5y ago

Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.

It could be SQL injection writing tweets directly to the database for all we know.

I agree with everyone else saying the site should be pulled. Incredibly sketchy.

VectorLock5y ago

ChuckMcM5y ago

It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.

ChuckMcM5y ago

From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

neurostimulantOP5y ago

WrtCdEvrydy5y ago

If you can't get caught, it's just some free money... depends on moral compass...

Maybe we'll get a leetcode question out of it, how much should you risk your career for after taking a job at a FAANG?

2 more replies

ChuckMcM5y ago

alberts005y ago

It might as well be an employee whose devices were compromised.

zelly5y ago

There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.

sleepybrett5y ago

If they did, they would be running the self hosted option.

suzzer995y ago

That twitter buildspec.yml must be HUGE!

whoisjuan5y ago

And it seems that it's still compromised. Tweets get deleted and then they re-appear.

Narretz5y ago

30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.

epanchin5y ago

Crazy twitter can’t pin a warning to everyone’s feed... or just kill the site.

1 more reply

slezyr5y ago

> All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!

> Only doing this for the next 30 minutes! Enjoy.

No, it's hacker's doing, they need to keep timestamps updated

jacquesm5y ago

It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.

rvz5y ago

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.

Its still on going as we type.

kelnos5y ago

> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.

kyleee5y ago

boy I sure hope we get a juicy post mortem, this is quite a scam

misnome5y ago

I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.

tornato75y ago

Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope

Sebb7675y ago

I'm just glad the fallout from this isn't nuclear, to be honest.

libraryatnight5y ago

granzymes5y ago

Twitter almost certainly self-hosts GitHub, no?

one2know5y ago

Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.

fouc5y ago

Many larger corporations have strict rules on keeping things like their source code in-house, so that means no external services for code reviews or CI, etc.

justinmeiners5y ago

> current corporate dogma is to not host anything

Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.

2 more replies

brentm5y ago

I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.

Darkphibre5y ago

I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.

kerng5y ago

Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.

Also begs the question, who is liable in such cases....

Scoundreller5y ago

Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).

CleanCoder5y ago

Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.

gowld5y ago

How much will Twitter pay me for it's liability of my hacked account?

1 more reply

ragerino5y ago

It seems like the devs at Twitter are clueless, how this happened.

The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.

ragerino5y ago

Just saw this https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

Means they had someone inside Twitter.

maps75y ago

Why can twitter staff tweet under people's accounts? How does that make sense?

gsich5y ago

Selfhost. If you rely on Github for your service you are rightfully doomed.

gowld5y ago

Twitter depends on GitHub?

sidcool5y ago

Is the root cause and attack vector known?

vmception5y ago

probably a social media manager api keys

celticninja5y ago

kristofferR5y ago

No way, it's way too widepread and would be shut down by now.

Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.

jacquesm5y ago

1 more reply

neurostimulantOP5y ago

But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.

throwaway432345y ago

Its not hard to believe that a group with the ability to hijack the twitter accounts of some of the world's most influential people could also hijack the "posted by" metadata.

1 more reply

MattGaiser5y ago

Do that many accounts use the same social media manager?

vmception5y ago

I think many people have try several of them before settling on one for their use case, and don't revoke the OAuth.

mtzaldo5y ago

I know hootsuite is a very popular app for managing the social media accounts.

1 more reply

lqet5y ago

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Is Twitter really using GitHub internally (even self-hosted)?

boarnoah5y ago

Is there even a self hosted Github? AFAIK there is no public offering of the sort.

cgk5y ago

Github has offered this for years: https://github.com/enterprise MIT used it for a long time.

AsyncAwait5y ago

There's (was?) an on-premises enterprise version.

dylz5y ago

Yes. https://enterprise.github.com/faq

ry4nolson5y ago

github enterprise i believe can be onprem

1 more reply

j / k navigate · click thread line to collapse