undefined | Better HN

0 pointsNextgrid5y ago0 comments

Initial postmortem: https://twitter.com/TwitterSupport/status/128359184496275046...

Seems to be a social-engineering attack on Twitter staff.

0 comments

Very strange. Why exactly is it possible for any employee to tweet as any user? Unless the person who was targeted was the Database admin himself or something.

Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.

Also who did the social engineering?

mardifoufs5y ago

If I had to guess, the attackers probably didn't even need twitter employees to have direct access to the accounts. If support tools allow Twitter support staff to change a user's email (which would make more sense, but still be extraordinarily unsecure), you basically get full access to the accounts the moment you get control over those tools. It would also explain why all the account emails seem to have been changed.

But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.

Twitter seems to have a shaky history when it comes to limiting employee access to account info.

scoutt5y ago

"Hello? Twitter support? Yes, I want to change my email address. I'm Elon Musk."

blisseyGo5y ago

I am really doubtful they were able to change the email and phone of so many celebrities and powerful people at the same time by phone. Twitter stated "social engineering" but I don't think this was for changing emails and phones of each person one by one.

tjomk5y ago

Well, it's actually not that hard to fall for social engineering even if you're well educated about the topic. Have a listen to an interview Christopher Hadnagy gave on Darknet Diaries.

swimfar5y ago

Here's the episode: https://darknetdiaries.com/episode/69/

blisseyGo5y ago

Fair point. I still want to know how it happened and how the employee who's got to have very high level permissions managed to give access to the entire system including change user email and phone numbers.

j / k navigate · click thread line to collapse

0 comments

blisseyGo5y ago

Very strange. Why exactly is it possible for any employee to tweet as any user? Unless the person who was targeted was the Database admin himself or something.

Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.

Also who did the social engineering?

mardifoufs5y ago

Twitter seems to have a shaky history when it comes to limiting employee access to account info.

scoutt5y ago

"Hello? Twitter support? Yes, I want to change my email address. I'm Elon Musk."

blisseyGo5y ago

tjomk5y ago

Well, it's actually not that hard to fall for social engineering even if you're well educated about the topic. Have a listen to an interview Christopher Hadnagy gave on Darknet Diaries.

swimfar5y ago

Here's the episode: https://darknetdiaries.com/episode/69/

blisseyGo5y ago

j / k navigate · click thread line to collapse