undefined | Better HN

0 pointsblisseyGo5y ago0 comments

Tweet from TwitterDev team yesterday:

https://twitter.com/TwitterDev/status/1283068902331817990

> 2 days to go… #TwitterAPI

https://twitter.com/TwitterDev/status/1283433096780677122

> Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!

Were they supposed to launch some new API tomorrow which got hacked?

0 comments

zelly5y ago

It looks like someone found a 0-day in the new API and wanted to use it before others did. Probably didn't help that the bug bounty for this would have been only 7k. How much does the Twitter employee who implemented this bug get paid?

https://twitter.com/LiveOverflow/status/1283511782380908545

anonu5y ago

We now know it wasn't a 0 day. It was socially engineered access to internal tools. That's still a tricky one to lockdown.

metafunctor5y ago

It's tricky to fully prevent (considering conspiracies of multiple people) but not that tricky to ensure the responsible internal parties will be identified and brought to justice.

Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.

However, in this case, looks like Twitter's internal tools simply give too much access to people to control access to Twitter accounts. Probably no gunpoint required, just a single compromised employee. It remains to be seen how willingly they have participated.

johnnyfaehell5y ago

More info on this https://techcrunch.com/2020/07/15/twitter-hacker-admin-scam/

1 more reply

kabacha5y ago

Currently their earned BTC balance is $120k+ for comparison. That's a pretty successful scam and 5% of potential revenue will not make anyone go white hat.

aj35y ago

Many previous ICO hacks (wait for initial coin offering -> change the bitcoin address to your own) have paid millions. Musk's or Buffet's tweets have moved markets multiple times. This sort of access could have been leveraged to gain at least x100 more than what they achieved.

1 more reply

metafunctor5y ago

Sorry, but $120k is ridiculously low for something like this.

1 more reply

css5y ago

Or someone making one last use of an exploit on the old API, since ostensibly there is a day to go before the new API is released on the public net.

Sebb7675y ago

This might actually explain the simple scam nature. Setting up more complex monetisation, i.e. by shorting a company, takes quite a while, especially if you don't want to be tracked. A bitcoin scam is quick and simple to do. And it's not _too_ illegal (compared to, for example, stock manipulation), so the attacker will probably catch less heat.

Nextgrid5y ago

The advantage of cryptocurrencies is that it allows you to commit the scam anonymously easily and defers the laundering of the money for later, giving you time to devise a scheme to launder it.

Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.

1 more reply

celticninja5y ago

Stock trades are easier to trace, but both can be traced with sufficient resources.

pldr12345y ago

Perhaps they shorted Twitter, before this huge public demonstration? I hadn't considered it until your message, but it makes the most sense to me.

blisseyGoOP5y ago

https://developer.twitter.com/en/docs/labs/overview/whats-ne...

I don't see any depreciations happening which could result in today's hack. Though I could be wrong.

mdoms5y ago

I don't think they were planning to immediately deprecate and remove the old API. Is there any reason to believe this is the case?

blisseyGoOP5y ago

From here:

https://developer.twitter.com/en/docs/labs/overview/whats-ne...

I don't see any depreciations from today/tomorrow which would be related to what happened.

zmmmmm5y ago

That actually makes the most sense to me. Even makes me wonder about whether it could be an insider leak - someone who knows of an unadvertised exploit that has been patched internally and sold it at the last minute or something.

Nightshaxx5y ago

This makes way more sense than any of the other suggestions in HN.

DMs are almost worthless; who uses DMs for anything important? It's for contacting people you kinda know but not really. State secrets aren't transitted over DM, but not because people wouldn't be stupid enough to do it. the people holding them are much older than the demographic that uses Twitter DMs. Worst case with DMs is some new YouTuber drama would be exposed.

thereare5lights5y ago

You're underestimating the situation. One possibility is that someone has some information that can be used to blackmail them be exposed. I wouldn't be surprised if there was a politician that used Twitter DMs in such a fashion.

1 more reply

dawnerd5y ago

a lot of tech support includes PII over DM. Just in my list right now tmobile has enough in a dm thread for someone to call up and take over my line. It's stupid.

Spooky235y ago

Never underestimate the power of stupid. There is unlimited potential.

dmix5y ago

Nice catch, this may be what it was.

Edit: looks like an admin panel was the culprit https://news.ycombinator.com/item?id=23853786

Solvitieg5y ago

I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.

Tweeting on behalf of another user seems like an unnecessary feature to give admins.

Widdershin5y ago

I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.

To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.

dlgeek5y ago

Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.

ryanisnan5y ago

Early access wasn't supposed to be enabled until tomorrow. I wouldn't speculate until they give a post-mortem.

blisseyGoOP5y ago

What timezone is "tomorrow"? Did this happen at midnight for some timezone?

1 more reply

wybiral5y ago

It seems weird to me that Twitter would have disabled tweets from verified accounts instead of disabling tweets from the API though.

shmoogy5y ago

That's really suspicious timing - probably was an exploit against the new api.

jonahbenton5y ago

Finally, a reasonable explanation.

j / k navigate · click thread line to collapse

0 comments

zelly5y ago

https://twitter.com/LiveOverflow/status/1283511782380908545

anonu5y ago

We now know it wasn't a 0 day. It was socially engineered access to internal tools. That's still a tricky one to lockdown.

metafunctor5y ago

It's tricky to fully prevent (considering conspiracies of multiple people) but not that tricky to ensure the responsible internal parties will be identified and brought to justice.

Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.

johnnyfaehell5y ago

More info on this https://techcrunch.com/2020/07/15/twitter-hacker-admin-scam/

1 more reply

kabacha5y ago

Currently their earned BTC balance is $120k+ for comparison. That's a pretty successful scam and 5% of potential revenue will not make anyone go white hat.

aj35y ago

1 more reply

metafunctor5y ago

Sorry, but $120k is ridiculously low for something like this.

1 more reply

css5y ago

Or someone making one last use of an exploit on the old API, since ostensibly there is a day to go before the new API is released on the public net.

Sebb7675y ago

Nextgrid5y ago

The advantage of cryptocurrencies is that it allows you to commit the scam anonymously easily and defers the laundering of the money for later, giving you time to devise a scheme to launder it.

Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.

1 more reply

celticninja5y ago

Stock trades are easier to trace, but both can be traced with sufficient resources.

pldr12345y ago

Perhaps they shorted Twitter, before this huge public demonstration? I hadn't considered it until your message, but it makes the most sense to me.

blisseyGoOP5y ago

https://developer.twitter.com/en/docs/labs/overview/whats-ne...

I don't see any depreciations happening which could result in today's hack. Though I could be wrong.

mdoms5y ago

I don't think they were planning to immediately deprecate and remove the old API. Is there any reason to believe this is the case?

blisseyGoOP5y ago

From here:

https://developer.twitter.com/en/docs/labs/overview/whats-ne...

I don't see any depreciations from today/tomorrow which would be related to what happened.

zmmmmm5y ago

Nightshaxx5y ago

This makes way more sense than any of the other suggestions in HN.

thereare5lights5y ago

1 more reply

dawnerd5y ago

a lot of tech support includes PII over DM. Just in my list right now tmobile has enough in a dm thread for someone to call up and take over my line. It's stupid.

Spooky235y ago

Never underestimate the power of stupid. There is unlimited potential.

dmix5y ago

Nice catch, this may be what it was.

Edit: looks like an admin panel was the culprit https://news.ycombinator.com/item?id=23853786

Solvitieg5y ago

I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.

Tweeting on behalf of another user seems like an unnecessary feature to give admins.

Widdershin5y ago

I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.

To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.

dlgeek5y ago

Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.

ryanisnan5y ago

Early access wasn't supposed to be enabled until tomorrow. I wouldn't speculate until they give a post-mortem.

blisseyGoOP5y ago

What timezone is "tomorrow"? Did this happen at midnight for some timezone?

1 more reply

wybiral5y ago

It seems weird to me that Twitter would have disabled tweets from verified accounts instead of disabling tweets from the API though.

shmoogy5y ago

That's really suspicious timing - probably was an exploit against the new api.

jonahbenton5y ago

Finally, a reasonable explanation.

j / k navigate · click thread line to collapse