Edit: Or a trading play? That would have taken place while the markets were open, though. TWTR after-hours trading is off 3% on the news.
https://twitter.com/apple and now one scam alone https://twitter.com/Apple/status/1283506278707408900
Is it possible that you thought your comment was removed because in fact it was on one of the later pages of comments? That is simple pagination. I tried to tell people about this by pinning https://news.ycombinator.com/item?id=23853229 to the top of the first page.
Hopefully, an eventual post-mortem is gonna be juicy and then we can critique all we want.
Interesting. I wonder if it was a SMS hack, and if not, then a new kind of vulnerability?
https://www.theverge.com/2020/4/27/21238131/twitter-sms-noti...
https://info.phishlabs.com/blog/sim-swap-attacks-two-factor-...
> Stepping down from TSLA effectively immediately. Focusing 100% on SpaceX. Life's short.
This could easily be worth $100m's
Will Twitter get sued by the people who fell for this scam? By the people who got hacked?
Considering execution, it may be that this is some API 0day which does not show (or make it hard to guess) which account messages are being posted from. How else would you explain neutral messages for all account when you could've personalised it per account to maximize efficiency.
This.
Hacking the right Twitter account could easily have massive life-and-death consequences. Isn’t that terrifying?
EDIT: Not that it would matter here. Just curious.
If you had backdoor access to any Twitter account, why on earth wouldn't you tweet as Trump?
Another possibility is that they are indeed just after the money and compromising Trump's account would prompt a faster response from Twitter (possibly taking down the entire account or platform) and reduce the effectiveness of the scam.
I've heard of this feature existing with the software used by phone companies and hospitals. Employees who poke around looking at famous people soon get locked out of the system.
That is very odd.
It might make sense for Twitter to redirect all non-retweets of that address to /dev/null (or a sandbox) for a little while.
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"
This is suspiciously underwhelming use of an exploit.
Over 30ish minutes now. Holy shit, it's going to be fun to see the outcome of this.
Which leads me to believe someone has really hacked twitter in a bad way or there's someone on the inside helping them.
https://twitter.com/search?q=All%20Bitcoin%20sent%20to%20the...
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
e.g. tweets like this look like people are consciously looking for attention: https://twitter.com/Statist_Sam/status/1283533522536411136
I've read the comments here and quite surprisingly there are a lot of folks saying that the value of this hack isn't worth more than roughly one year's salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.
Anyone with this kind of exploit could have sold it, moved to Russia, and received immunity from extradition. Secondly, people should be scrutinizing any moron willing to give away thousands of dollars to billionaires for a promise of a 2x return. Especially in these times.
So, reason can only allow us to arrive at a most likely cause. That this was indeed an inside job. It was not about money. It was not a security flaw. But rather, it was simply a group of employees that were unhappy with Twitter allowing the federal government to investigate bad actors on the platform behind closed doors.
And here is why: https://www.scribd.com/document/467148777/DHS-Social-Media-L...
Attacker(s) could profit immensely if they had leveraged short positions cleverly placed.
Users losing a few hundred thousand is getting off light considering the severity of this attack and how much worse it could have been.
Not that I think the gov could do a better job, but that doesn't stop them elsewhere.
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Back in 2013 when I was working at Sky News, the person responsible for the social media accounts (with millions of followers in total) stormed into a meeting: "Our Twitter account has been hacked".
This was at a time when many high-profile news Twitter accounts were hacked by so-called "electronic armies" who published damaging tweets. However in our case it was a single obscure "Colin was here" tweet.
We had recently built an internal endpoint in one of the backend apps that takes a string and publishes it straight to the main breaking news Twitter account. This was integrated with a custom UI tool that the news desk people used to quickly break a story across TV, Twitter, the website etc with one click.
I had a suspicion that this endpoint was how that tweet was published, but could not prove it. Many thoughts were going through my head.. “is this an internal job, or did someone hack our backend system and somehow figured this out etc.. “
We quickly returned to our desks, and straight away I greped our logs for "tweeting" as I developed that feature and was sure we logged that when the endpoint is called, but in the heat of the moment forgot that to “-i” as it the log message actually contained "Tweeting" (which cost us a few minutes). In the meantime there was panic around the business, people were putting out PR statements just in case it was a real hack, the tweet was deleted etc.
Finally, with help from colleagues, we tracked down a "Tweeting" log message around the same time the tweet was published along with the HTTP request source IP, and traced it (just like in movies) to our secondary news studio in Central London. This is when one of the managers shouted "I know a Colin who works there, he's a testing team manager!".
We gave Colin a ring to understand what was going on, he had no idea about any of this but said he was doing some DR testing earlier of all tools that editors use, and wasn’t really aware this would go out. As you can imagine, it could have been much worse.
The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed on the internet, where many people were worried about the welfare of "Colin", and it was picked up by various [1] news [2] websites.
[1] https://www.buzzfeed.com/lukelewis/an-important-history-of-t... [2] https://www.buzzfeed.com/lukelewis/an-important-history-of-t...
Their reputation and the post-mortem/cleanup effort of this hack already wiped out a significant chunk of their advertising profit. Taking down the platform for one day would be a drop in the bucket in comparison.
They are causing extreme damage to lots of high-profile people's reputation every second the platform is kept active. I wouldn't be surprised if lawsuits appear as a result of this. Taking down the entire platform would be safer and would at least stop the damage.
[edit]
some are wondering if this is some type of money laundering scheme https://twitter.com/nktpnd/status/1283521742602940420
https://twitter.com/jack/status/1283169859233214465
> #bitcoin @BubbaWallace
So Twitter is the real-life Jita local chat? Does this also mean BTC is as meaningless as ISK, that people are willing to gamble it on a doubling scam?
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
Block bitcoin addresses, and they'll move on to different types of messages.
Obama is in there, Jeff Bezos, Bill Gates and many other prominents that have nothing to do with crypto.
@Apple hasn’t Tweeted
When they do, their Tweets will show up here.
Not clear who is You here, all accounts are just verified or selected accounts.
Some accounts were protected with 2FA, so it probably is some exploit in the API which affects many accounts (possibly all?), some intrusion in the Twitter infrastructure, or some exploit which allows people to hijack accounts. But that's really just an educated guess.
Considering it doesn't seem fixed yet, I'm not even sure the Twitter people have a complete understanding of what's going on yet.
About the client, they are post from accounts that have only used "Twitter for Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in the past
Updated accounts with the spam.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Not sure if such a massive, simultaneous hacking operation makes sense for ~$120k worth of BTC. As other commenters mentioned, postmortem of this one should be interesting.
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
@Apple @Uber @elonmusk @kanye @MikeBloomberg @JoeBiden @WarrenBuffet @wizkhalifa @BarackObama @JeffBezos @MrBeastYT @FloydMayweather @LuckyovLegends @xxxtentacion
1JustReadALL1111111111111114ptkoK
1TransactionoutputsAsTexta13AtQyk
1YouTakeRiskWhenUseBitcoin11cGozM
1BitcoinisTraceabLe1111111ZvyqNWW
1WhyNotMonero777777777777a14A99D8
1forYourTwitterGame111111112XNLpa
Link: https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...
It looks like this was pretty successful for the hacker. At the time of writing they received ~3.1 BTC, or ~$29k in USD[1].
Edit: Replaced [1] with a site that appeared to have less trackers according to Privacy Badger.
[0]: https://web.archive.org/web/20200715202030/https://twitter.c...
[1]: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
They should have pulled the plug an hour ago, and that plug pulling should have been automated.
If this were something even more sinister a whole country could have plummeted into chaos, death, destruction.
Simultaneous compromise leading to tens or hundreds of millions of people receiving the same / similar messages for over an hour from the people they trust the most.
Death and destruction waiting to happen.
I suspect the actual numbers and percentages of the whole of each would be surprising...
I can't help but imagine how any account on twitter would be safe if the Bill Gates', Elon Musk's, and top crypto site's Twitters are compromised.
According to this, 6.1 BTC, which is around 56k USD
* thrown the site in read only mode OR
* taken the entire site down
Until they can fix the security vulnerabilities. That would be better than what is happening now.
As many others have noted, access to the compromised accounts is worth several orders of magnitude more money than the hackers were able to extract using this naive bitcoin scam. Whether it's used to manipulate markets or just resold, the hack is probably worth millions or tens of millions. Is it plausible that hackers who could coordinate and execute this kind of a breach would not know how to maximize the value of the hack and would instead opt for a really naive and not especially lucrative BTC scam?
It is also pretty common knowledge that the activist investor hedge fund Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite some time. What if the BTC scam is a cover for corporate espionage? What if the purpose of the hack was actually to make Dorsey look incompetent in the most public way possible, and possibly turn many influential public figures against Twitter? Elliott Management has the resources to finance a breach like this as well as the motive.
An alternate theory would be that this actually was a form of market manipulation -- manipulation of Twitter's share price.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Also: - Musk - Bill Gates - Apple - Uber - Jeff Bezos - Joe Biden - MrBeast
One after another big handles getting hacked!
Collection till now has crossed 12 BTC (https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...)
It's one thing going after a couple celebrities and CEOs, but they've now hit a former US President and a current Presidential candidate.
https://twitter.com/asculthorpe/status/1283501026281127937
Try to warn people and you get slammed for it.
Ugh.
https://www.whitehouse.gov/presidential-actions/presidents-e...
Edit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.
"Security is Myth."
I was surprised Apple especially got their account hacked, since they are big on security as a company. I know with Facebook a page can have multiple person accounts managing it, but I don't believe Twitter ever had such a thing unless more recently... So if you want multiple people to manage an account you'd use a special tool or just share the login info between your social media team.
I kinda feel like if you have to commute to an office, maybe more accountability as I'd feel someone might be looking more over your shoulder but I'd depend if someone gets private offices or a more open office design.
Twitter and Reddit's tech incompetence absolutely baffles me. How are billion dollar companies not able to make functional video players?
Here's a tweet from KimKardashian, for a different BTC address (bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l) https://twitter.com/KimKardashian/status/1283523054874877953
All it takes is 100 gullible people to net $100k, and there's a lot more than 100 gullible people on Twitter.
And it all happened in the span of 20 minutes. Can we expect any better response in the hopes of preventing this next time assuming all the accounts are hacked already? Or does the nature of realtime media and hundreds of bored eyes sitting on wads of cryptocurrency getting to it first mean it's just game over?
I remember the golden days of messing up people's lives over digital terminals, where the most they'd do was wipe your harddisk or warn the user of something vaguely ominous on the third Tuesday of April like "the Reaper's gonna get you" or play an 80's Top Ten number rendered through the PC speaker all of the sudden scaring you to death.
From here on out it's always going to be about money, and to me that's just boring and sad.
We've had the technology to avoid these sort of issues for decades and it's a shame it's still largely unused. Yeah, I know the argument PGP usability is really bad but it doesn't mean Twitter or other network used as official channels can't provide their own friendly interface and start signing/verifying messages, they certainly have the resources.
Transactions 253
Total Received $101,539.14
Link to address:
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Not like everyone who sees these tweets has bitcoin accounts, but less than 300 falling for the fake tweets is such a small number in terms of populations.
Vive la plebs!
Hours in, seems the vulnerability was not yet patched but simply blue-checks had posting rights pulled. Only non-verified accounts have been posting the wallet key for a while now (search new to find them).
I know it's easy to judge from afar but I can't believe they're leaving the site up during this.
Could be a setup https://twitter.com/jfbsbnix/status/1283487977591767041
Or maybe a dodge https://twitter.com/verretor/status/1283506654521094146
It's worth noting these types of blackhat crypto scammers make millions a year from this already, but this is definitely making it a lot worse.
EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet crypto scams still. Amazed they got all the crypto exchange too.
And it's not just Bitcoin, they got RIpple too and posted XRP addresses.
Trying to figure out why would they let such a massive hack play out for over an hour instead of pulling the kill switch.
https://twitter.com/TwitterSupport/status/128359184646423347...
Thanks
New Address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w9l https://mobile.twitter.com/CashApp/status/128352200769559757....
This could have a profound impact on governments who want to target dissidents if somebody for example, only felt comfortable criticizing their government from a protected account...
Or maybe it was a multipronged attack that included social media management software and OAuth
but the hilarious most visible solution is that Twitter now disabled all verified accounts
and they should keep it that way
Is there any proof Twitter was hacked and not just these two accounts?
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
- Apple
- Bill Gates
- Elon Musk
- Jeff Bezos
- Joe Biden
- Barack Obama
- Michael Bloomberg
- Kanye West
- Wiz Khalifa
- Bitcoin
- Ripple
- Coinbase
- BINANCE
- CZ_Binance
- Gemini
- Kucoin
- Gate .io
- Coindesk
- Tron
- Justin Sun
- Charlee Lee
That seems like someone got full access to the backend, not the accounts per se.
Also worth mentioning that the tweets get deleted but then they get added and pinned again.
Provided I’m not a cryptography expert and you should explore my ideas with caution, why not even just sign every tweet with an ed25519 signature? It’s on 64 bytes tacked onto the message and easy to verify...
hi hacker news -----BEGIN PGP SIGNATURE-----
iIIEARYKACoWIQSiJQKEVJeJondn78BXE/NAGxPd0QUCXw/JqwwcZm9vQGJhci5j b20ACgkQVxPzQBsT3dGf1gEAwMzbCxEaEJzRjJwFe90TRrXZiIe4KD9cZ64CHZEz eKEA/3W0ZIx6TOASPrzuTLytBK8OsL9FFAVWMUGTyLJSSh8O =ORB6 -----END PGP SIGNATURE-----
A little more cumbersome than I imagined but proves that the contents of a tweet can contain a message and a digital signature.
Putting tweets on a blockchain would make it very difficult to delete them or edit them but offer no more certainty than a regular tweet that includes a signature verifiable with a known public key of mine.
I just don’t don’t want someone impersonating me on any one of the many random website I have a profile where anyone with access to the db can write whatever they want under my name.
Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until market hours to use it."
When a user promotes a tweet, they are given the option to hide it, so that it won't show up to users who are following the account directly, or who are looking at the account's profile. This is so that (for example) a company that posts a dozen different variants of an advertisement for different markets won't have all twelve of those show up on their profile page, or on the timeline of any user who's following them.
Apple, for whatever reason, seems to set the "hide this" option for every tweet they post and promote. Why? Beats me.
I’m honestly surprised this isn’t common already in the crypto space and kinda wonder if I’m missing something
Plus, reading your example in a different comment, it's completely jarring to someone who isn't used to reading things in that format.
- Barack Obama
https://news.ycombinator.com/item?id=23851275&p=2
https://news.ycombinator.com/item?id=23851275&p=3
https://news.ycombinator.com/item?id=23851275&p=4
Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.
- a test of a new hacking system
- a demonstration to a big client
- a first shot to threat some entity
- a diversion while they get the real loot
And that the BTC messages are just a way to justify it so it looks like a simple scam.
Such a hack is worth way, WAY more than the few BTC it could bring.
Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.
The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.
Previously on HN: https://news.ycombinator.com/item?id=18823286
Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.
Hanlon's Razor BOIIII
This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.
(Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )
If they wanted to exfiltrate data, they already did that previously.
They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.
The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.
It will take a while for the dust to settle.
You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions
chart https://www.blockchain.com/charts/mempool-count
A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h
Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.
So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?
And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?
Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.
Also number of transactions is in no way related to amount of money being transferred.
1) https://twitter.com/TwitterDev/status/1283068902331817990?s=...
There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.
So they are probably on at least their second attack vector by now.
I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.
OR
Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.
If it's a third party API key with special priviledged that they hacked, the potential harm is limited.
If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:
- scam them
- get them infected to gather a massive bot net
- make them very angry and start some kind of civil unrest in a specific part of the world
- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that
At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.
Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.
It‘s either incompetence or your fourth option.
Why weren’t these tweets deleted immediately and a note pinned to every users feed?
[0] https://techcrunch.com/2020/07/15/twitter-stock-slides-after...
Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
https://twitter.com/TwitterDev/status/1283068902331817990
> 2 days to go… #TwitterAPI
https://twitter.com/TwitterDev/status/1283433096780677122
> Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!
Were they supposed to launch some new API tomorrow which got hacked?
You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."
As of now, 121 people have sent cash totally more than 2.5BTC.
Edit: Just seen @BillGates compromised as well, same bitcoin account.
Edit 2: Elon's tweet seems to be getting removed, and then reposted again shortly after. About $40k sent so far.
Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and then reappear as pinned a few mins later.
(Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules, at least in emergencies.)
This means twitter had omni backend tooling that have manual/programmatic admin level access to production database.
This is a very bad idea, access to production tables should be through a controlled medium and always challenged.
At the bottom of the page, a notification appears: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later.
[1] https://twitter.com/TwitterSupport/status/128352640014683751...
Direct Messaging is still functional as of 523PM PDT.
[1] https://twitter.com/TwitterSupport/status/128356244619659673...
At that point, we were forced by our contracts, and data protection laws, and a CEO aware of all of these, to shut the affected productive system down. We stopped all services, set the firewalls of our hoster to only accept traffic from our office and that's it, while figuring out wtf happened. Those measures overall reduce the situation to a known situation again. If someone in our office is hostile.. that's another issue.
After a bit of analysis, we figured out the IPs attacking us and we blacklisted those on the firewall of the other production systems. Eventually things cleared up to be a pentest no one told us about.
If the attack had moved into these other systems, we'd have to extend the nuclear solution to those systems too. At that point, we'd have to lockout some 30k+ FTE users. I think we'd be able to make national news with that for our customers. Except.. not good news.
Someone has found a way to post a tweet from any account they like?
These tweets are showing up as being posted from the Twitter web interface.
Now I'm wondering how much BTC the attacker effectively left on the table by reusing the same wallet address, especially considering that lots of people who deal in crypto use just a handful of exchanges to send it.
EDIT: You know this is a coordinated Twitter hack when they have Apple's account hacked [0]. https://twitter.com/Apple/status/1283506278707408900
Seems to be a social-engineering attack on Twitter staff.
Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.
Also who did the social engineering?
But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.
Twitter seems to have a shaky history when it comes to limiting employee access to account info.
Unless, perhaps, they can't.
I feel like a bug report might make more sense in that case though...
Edit: They have just enabled posting again.
Edit Edit: Or maybe not.
From what we know right now, targeted accounts had their emails and 2FA reset via an admin tool. These attacks were noisy, so the window of opportunity for the attacker was small. The attack was launched after hours, likely to limit the chance that the compromised Twitter employee would be around. So market manipulation wasn’t really a great option.
This was basically a “smash and grab” style attack, which makes sense given the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin tool purposely doesn’t allow employees to silently access accounts.
Added "filter:verified" to query
Edit: Add @JoeBiden to the list.
Twitter needed to be taken down a couple of pegs. I think accounts of a high enough profile may want to closely examine the ActivityPub ecosystem.
But they lost so much trust from the public that now we turn to social medias.
So unprofessional
I envision that the current centralized services could be getting into this business if they were to white-label their applications.
Imagine "Twitter, but for your own domain" in the way that G Suite is Gmail and Google Apps for your domain.
Or we are incredibly lucky and the exploit was found by people with really bad foresight and imagination.
There are so many smarter moves that probably could have been made though. The upside of this one is that we'll keep speculating for a good while (maybe forever) if it wasn't just a stupid crypto scam attempt after all.
Mentions: - Bitcoin - Coinbase - BINANCE - CZ_Binance - Gemini - Kucoin - Gate .io - Coindesk - Tron - Justin Sun - Charlee Lee
1) shut down api endpoints 2) locked down all verified accounts 3) blocked any tweets with the btc address in them 4) make a statement if they really can't stop it?
It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.
Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?
I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.
What value would you place on this?
The proof will go along with another method of hacking the account that is not disclosed.
Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?
I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.
I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.
I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.
So far, the address has received the equivalent of over 50,000 USD.
Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...
lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.
Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.
If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.
How about market manipulation via other tweets that subtly affect trading bots reading Twitter?
Twitter as a riderless horse would be wild.
Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.
Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.
Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.
Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
Are you implying that this was tweeted by the attackers? or something else?
Especially after the last insider account tampering event.
It could be SQL injection writing tweets directly to the database for all we know.
I agree with everyone else saying the site should be pulled. Incredibly sketchy.
From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
> Only doing this for the next 30 minutes! Enjoy.
No, it's hacker's doing, they need to keep timestamps updated
Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.
Its still on going as we type.
I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.
Also begs the question, who is liable in such cases....
The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.
Means they had someone inside Twitter.
Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.
Is Twitter really using GitHub internally (even self-hosted)?
I don't see any depreciations happening which could result in today's hack. Though I could be wrong.
DMs are almost worthless; who uses DMs for anything important? It's for contacting people you kinda know but not really. State secrets aren't transitted over DM, but not because people wouldn't be stupid enough to do it. the people holding them are much older than the demographic that uses Twitter DMs. Worst case with DMs is some new YouTuber drama would be exposed.
Edit: looks like an admin panel was the culprit https://news.ycombinator.com/item?id=23853786
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
That could have netted the attackers millions.
You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.
And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.
That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.
Golden rule is you don't steal money from rich people, only poors.
This "scam", while crude, will probably not result in any loss and it would be much harder to catch them
What is going on that Twitter didn't get them locked ASAP?
Also all of Apple's tweets deleted, and now posting the bitcoin thing as well: https://twitter.com/Apple/status/1283506278707408900
I don't think Twitter itself knows yet.
Fool and his money are soon parted.
I doubt someone could individually hack all these accounts.
It's more like 1.3BTC by looking up the address on their website.
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
Edit: I stand corrected. Holy crap!
Elon Musk @elonmusk·38s
I am giving back to my community due to Covid-19!
All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
Only doing this for the next 30 minutes! Enjoy.
EDIT: Someone already did:
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
Bezos “was maxing out at 50MM”!!
(Also POTUS is not authorized to declare any wars btw.)
See here:
https://twitter.com/asculthorpe/status/1283531636450230274
@TheRegister (verified) just RT'd for help.
https://www.google.com/amp/s/www.washingtonpost.com/news/wor...
Following that thought, it is entirely possible the whole point of the hack is to discredit Twitter and the bitcoin bit is just smoke.
It should become very apparent how this is done through the correct levels of logging. Unless of course twitter backend firefighting team consists of hasty tooling that writes directly to production table with no oversight (which also sounds like a possibility)..
(He said, taunting the hackers.)
It sure seems like multi-factor auth isn't very helpful, when nearly all hacks have nothing to do with breaking credentials.
This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.
There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.
Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?
I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.
As far as we can tell right now, Obama and Biden could've posted about a complete coup to assassinate Trump and that every middle eastern country already has nukes on their way...
If they couldn't (or didn't want to) do it then I very much doubt they can do it now.
It's not uncommon for hackers to have these weird imbalances in skill and understanding.
and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."
[1]: https://nairobinews.nation.co.ke/wp-content/uploads/2018/08/...
[2]: https://nairobinews.nation.co.ke/news/detectives-smash-illeg...
It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.
Unlikely since the tweets appeared from "Twitter Web App"
[edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]
https://developer.twitter.com/en/docs/labs/overview/whats-ne...
I don't see any depreciations from today/tomorrow which would be related to what happened.
To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.
Ah, here's a writeup!
You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.
Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.
Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.
The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?
I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.
But then any number of well resourced 'political' actors would love to send that message to the large tech companies...
100k USD = 4.2 billion rial or 2.3 billion dong
- Bitcoin is used for scams
- Bitcoin hacks
- Bitcoin used for illegal activity
All the meanwhile, more people become aware and interested.
These sort of events prime the "nocoiners" to read and understand that little bit more.
1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.
2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.
To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.
Unconfirmed transactions cannot be withdrawn. Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.
Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.
I don't seriously suggest this is what happened though. I don't have any information about this. Glad I never did send or receive Twitter DMs though.
Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.
This was a v high profile project we had two board members as sponsors.
Later on I knew that some team leaders had to be Vetted and this is Developed Vetting - this is the same as TS clearance
I could see this happening in FANG companies to
Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”
You could easily, easily cause some pretty massive panic.
Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)
Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.
Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.
$7k vs $100k, you choose.
Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.
You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?
What else is there?
With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.
This was elevated in ridiculousness, because said manager was backpedaling really, really hard after we contacted the pen-testing company as well as the customers senior management. However, all attempts at re-instating the system were swiftly blocked by the customers security policies and security teams. So, the system stayed down for a solid amount of time.
After all, the customer insisted on us participating in their security workflows for that system under their security teams control. And from their companies point of view, this was an external hostile attack -- since the manager didn't tell anyone.
Moving coins between wallets is simple, it would not be possible to simply block an address to prevent cashing out.
Tweeting is actually effectively reducing the available bandwidth of communication, and quality of content.
Like in my case, there's the local village council made of 5 members, theres the town council the village is part of, the county has its own board/council, and then theres the state house and state senate and then theres the US house and US senate, and the finall president.
It's an unending game of cat and mouse. IMO Twitter's efforts at this point are much better spent on finding out how the hack occurred and cutting it off at the source.
Or maybe everyone at home?
Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.
"...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."
I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.
[1]https://www.independent.co.uk/news/world/americas/twitter-em...
...I really hope Musk is keeping his account secure.
To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.
Google does nothing despite thousands of people reporting it.
It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?
https://twitter.com/BillGates/status/1283503731682811907
(Now gone @ 3:32p Pacific)
Hell, even just hacking Trump to do it would probably trigger a federal investigation. I doubt this current situation will.
I'm not so sure about that. Sure, it didn't impact THE account or crash the stock of an unaffiliated company, but that proverbial bullet flew close and I bet that quite a few powerful people felt the wind. The "harmless" nature might spare the hackers a bit, but it definitely won't spare Twitter.
Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.
I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.
There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?
People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.
And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.
People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.
The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."
Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"
Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...
I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.
And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.
Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.
If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.
Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.
Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.
Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.
Maybe we'll get a leetcode question out of it, how much should you risk your career for after taking a job at a FAANG?
Given that most FANGers are obsessed with cash, I'm pretty sure they'd say "yes" to risking their career for some sweet BTC.
Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.
Like you are able to launch Adobe Photoshop because Okta says so. :)
Are there better options?
Unless you're Obama or Trump.
https://www.washingtonpost.com/world/iran-strike-live-update...
> President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.
> “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”
I think we can imagine being more anti-war than Trump.
Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.
They must have been having an extreme adrenaline rush during this which clouded them from having a more sinister plan.
In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?
And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?
We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.
Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?
That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.
Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.
Edit: There we go. https://twitter.com/JacKnutson/status/1283527213606789121
What's so horrible about a few more?
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
Unless they're saying that there's certain people who have raw DB access...
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.
However, in this case, looks like Twitter's internal tools simply give too much access to people to control access to Twitter accounts. Probably no gunpoint required, just a single compromised employee. It remains to be seen how willingly they have participated.
And approved partners can use the corresponding API to post this way.
I say it can't be relied upon when an active & involved hack is underway.
You provide nothing of value. What do you think this entire thread is, but for idle speculation?
I would say “taken” is fair; but “stolen” isn’t exactly right.
Plus there is no way it will be that much.
Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.
Well in this case people intended their money to go one place, but they got tricked and it ended up in another. I'd call that stealing.
Whether it got technically stolen from the charity or whatever they meant it to go to or from the original owner, that's debatable.
This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.
All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.
That's all that's happening here, except in units of BTC and not USD...
Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.
Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.
There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.
In the future the scope may grow to include visual and audio communications which could be faked using AI.
The FBI and other law enforcement is getting pretty good at tracking illicit Bitcoin transactions and money laundering [1].
If these guys are professionals, they’re using mixing services to cover their tracks. Guess we’ll find out if they made any mistakes along the way.
[1] “Blueleaks: How the FBI tracks Bitcoin laundering on the dark web”—https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-bitcoi...
That's my theory on why they (presumably) didn't touch the stock market or the POTUS account - even if they're found, they really can only be charged with a modest damage sum and some vague hacking accusations; nothing that warrants a global manhunt.
If they've traded into that currency somewhere, how does one know where that money pops back up - on however many exchanges, under however many identities, in however many amounts, over whatever period of time they drip it back in?
I'm reminded of a paper I read a while back about deanonymizing VPN traffic if you have sufficient observability of nodes in the overall network and something else I can't remember at the moment.
Seems different though. The time they could take to drip money back in to the visible network (for conversion to fiat or appreciation in a "visible" coin) feels like a factor.
edit - heh, just now seeing the article you posted about the FBI's team explicitly mentions a case like this with Monero.
If nothing else, it's a good way to prove capability. Want to prove your prior deeds and that you're the one that pulled off that twitter hack? Have someone provide you an address and transfer out of that wallet, and now you've got proof of control of the funds, which works pretty well as a way of verifying you are the individual/group that pulled this off if someone asks. In that way, it's a good advertising.
A huge impact just to steal (relative) peanuts.
Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.
If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.
I think this would turn up alot more results than you bargained for.
* 5+ accounts tweeting exactly the same message
* Not using the mobile app
* Fewer than 10 followers
* Fewer than 10 following
* Liked fewer than 10 tweets
* Retweeted fewer than 10 tweets
* Accounts created within 24 hours of each other
* Account creation metadata is similar
* Account less than 1 month old
You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.
Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.
No need to do this, just sign a short piece of text with the private key.
These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.
Nothing in the world can protect you from poor hiring .
If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .
Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .
Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .
It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
It’s why any claims to be Satoshi are laughable. If you want to go public, just prove it cryptographically.
If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.
That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.
I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.
Would make sense to have something like this for @jack, too — could explain why his bio was changed but he didn't tweet.
seriously, this hackers are not so imaginative.
Most billionaires and large corporations have connections in, and make donations to, both major parties. The people who are critical of billionaires and corporations tend to also be the people that point out that the dominant faction of the Democratic Party (less sophisticated members of the critical group will shorten this to just the Democratic Party, without making the factional distinction) has for decades been, in economic policy terms, a center-right pro-corporate neoliberal group, not a progressive one.
2. Most don't publicly support GOP because they don't want to get cancelled.
PREFERENCE FALSIFICATION: Preference falsification is the act of misrepresenting one’s wants under perceived social pressures.
So I can see why they wouldn't have one of those pre-built for setting the entire site to a read-only mode. It's not at all obvious whether the risks are larger with or without that capability built in. But a spam filter with configs you can push quickly seems like table stakes, and should be a system that gets excercised weekly if not daily.
On the other hand, a product like Twitter having some content moderation filter seems very likely.
What about the circuit breakers at their data centers? Serious question..
This is in many ways worse than your typical large-scale malware or ransomware crisis (like the one that hit Maersk for example).
Malware or ransomware attacks are typically limited to internal company impact with potential stolen data (which you usually discover after it’s been stolen already).
This current situation however has ongoing external impact for as long as the platform is kept online and could even have geopolitical repercussions if a certain high-profile “real” account ends up affected.
The fact that they left the platform online for so long with an ongoing, uncontained attack is absolutely irresponsible.
Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.
I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.
Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.
Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.
I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.
Yes, that might be a bad trade in the long run, but history has shown us times and times again that people are bad at evaluating those risks.
[edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.
- at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.
- in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps
- access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.
Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.
The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.
While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.
Not necessary
> or filesystem access
Also no
> or ability to modify the fleet.
Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
While true, this effectively doesn't matter given the number of people we've bombed since our last declaration of war in 1942 [0].
[0] https://www.senate.gov/pagelayout/history/h_multi_sections_a...
He has fired people over twitter [0] so I'm not sure the scope of one can do there is limited to "marketing/propaganda"
> (Also POTUS is not authorized to declare any wars btw.)
Other nations are not going to read the US law first before deciding if the declaration was or not real.
[0] https://www.theverge.com/2018/3/13/17113950/trump-state-depa...
All we have here is an announcement. Seriously doubt this was the "official" firing, hiring or promoting of anyone. The statement in the article isn't even from Tillerson, so we don't really know.
> Other nations are not going to read the US law first before deciding if the declaration was or not real
There's a lot more formality to declaring war, for any nation. Not to mention the lack of anything else to support such a statement, like an actual press conference or public statements, media attention or, you know, actual military movement which all capable nations track constantly.
The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).
Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.
Thanks anyway.
OK, what about the people who have physical access?
> even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
Who watches the init daemon?
What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.
> Who watches the init daemon?
Another important question! If you don't know what's running on your box, you really don't have a security story at all.
https://cloud.google.com/blog/products/gcp/titan-in-depth-se...
"Dear Twitter Followers, It is with grave heart that I have to ask you to do the right thing for your country, go out and do something about - insert bogeyman of the hour here - and I will be sure to reward you greatly. The time has come to do your part. I personally promise to pardon anybody that ends up on the wrong side of what today still is the law. Let's take this country and make it even greater."
That's just a two minute sample, give me an hour or so and I'll come up with something much worse than that. These things are easier to start than to stop.
I mean, when is the last time we officially declared war? It has to have been decades ago.
> Iran has gone TOO FAR! As President I have ordered the use of nuclear weapons against key military targets. We begin bombing in five minutes.
Regardless of the plausibility of the message, it would be likely to trigger a panicked response from foreign militaries. It's not at all implausible that it'd start a war.
[1]: https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minut...
They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
Everyone always assumes stuff like this after every big criminal case. But every time it turns out that yes they were that stupid.
1Md6imvB2neTF3s1kFiMG473k1XrBhxQhF
One of the largest problems of our industry.
I'm not sure the FB counts as democratic. At best he's big shades of gray with contradicting indications.
Out of the top four richest tech billionaires, according to forbes, only one of them is not most likely conservative and that one tries to stay out of politics, i.e. bill gates.
The next two have clear conservative leanings or contradicting indications, i.e. Bezos and Zuck.
Number four is Larry Ellison, who recently hosted a trump fundraiser. Well here is what wikipedia has on him:
Politics
Ellison was critical of NSA whistle-blower Edward Snowden, saying that "Snowden had yet to identify a single person who had been 'wrongly injured' by the NSA's data collection".[85] He has donated to both Democratic and Republican politicians,[86] and in late 2014 hosted Republican Senator Rand Paul at a fundraiser at his home.[87][88]
Ellison was one of the top donors to Conservative Solutions PAC, a super PAC supporting Marco Rubio's 2016 presidential bid. As of February 2016, Ellison had given $4 million overall to the PAC.[89] In 2020, Ellison hosted a fundraiser for Donald Trump at his Rancho Mirage estate.[90][91]
https://www.reuters.com/article/us-usa-cyber-silkroad-idUSKB...
But even still, the idea to prevent money laundering by sending orders of magnitude more BTC than the initial scam... bold idea.
https://www.cnbc.com/2017/11/30/former-twitter-employee-who-...
It just makes me sad that I see people spending their energy on good comments, unaware they're not being read by most people.
If they convert to Monero after then it's a different thing entirely.
No nation is going to start killing people because of a Tweet. Be realistic.
It detracts from your otherwise valid points when paranoia and blind hatred overshadow your arguments.
The number of posts you've made about the leader of a foreign nation is astonishing. Are there zero domestic problems to be fired up about?
> You again?
I guess I could say the same. Touché.
Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.
I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.
When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"
I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..
Now I wished I would've abused it and blogged about it for the resume.
The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.
Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.
It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.
Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.
Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.
Helping them out with a security report might be the last thing on their mind.
Companies will routinely downgrade the severity of your exploit so they can pay you less.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts? And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.
I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.
Cons: trying to deal with 103k in bitcoin
Someone moved $1 billion nearly a year ago and I don’t believe we know who made it: https://arstechnica.com/tech-policy/2019/09/someone-moved-1-...
And everyone in government will quickly conclude that they can't allow this to happen.
This could be the beginning of the end of social media.
Please, God, I beg you, let this happen.
More than relates, it is the doing.
"Justice Department lawyer Jennifer Utrecht in her reply acknowledged the president’s tweets are official government statements"
https://www.washingtonpost.com/local/legal-issues/can-presid...
If Trump would tweet what the fringe communities want to hear (example: Trump tweets that state law enforcement have started rounding up people with Hawaii shirts and confiscating their weapons and should be seen as enemy combatants and engaged on sight. That would turn ugly very quickly).
A well crafted tweet about e.g the Taliban could easily put US soldiers abroad in harms way immediately too.
Well armed militia who don’t offer diplomatic representation — they are the ones to worry about.
I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.
It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.
Yes, it would be ... but it would also be hard to prove.
Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.
Tomorrow is a mist. Today's the sunshine.
Make the world better by building something anything today.
Build shit. Ship shit. That's all there is to success.
----- I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.
is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.
The idiot has never hacked a thing for profit in his life.
What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?
And whom do you propose people follow instead? :-)
"You will need clarity to deal with upcoming personal conflicts."
You get in a argument with your friend/spouse/partner/coworker, the fortune cookie sounds prophetic
Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?
I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.
If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.
Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.
I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.
Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.
Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.
Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.
I'd be surprised if that even got you interviewed, let alone searched for hacking tools.
Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.
Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).
I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.
On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.
The way around this is to leave no traces of the hack or to cash in using another person.
