How To Hack Twitter's Two-Factor Authentication

An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."

watch the eyes on the vid

[mynamestolen]

loved how they read from the bottom of the screen. Please give me a nice telepromter for my youtube vids

Re:watch the eyes on the vid

Your comment has nothing to do with the person you're responding to. Did you just post that there hoping it would be seen so that you can score points? If so then why not just get an account?

worse problem?

[mcmonkey]

the problem is worse than that, a lot worse

Problem? Worse? This is twitter we're talking about right?

If sending an unencrypted email is like sending a postcard (kids, ask your parents) in pencil, twitter is like a sign you stick in your lawn.

Anyone can drive by and stick a sign in your lawn, make it look like you support any cause, or take any sign you've put out.

Now if people put undue weight to those signs, it they swing the markets, then the issue--the problem--is people who don't know the difference between reliable and unreliable sources.

The problem isn't twitter, it's employees in the media and so-called journalists who'd rather sit on their bum checking their cell phone than go out and do their job.

Thank you

[ArchieBunker]

Seriously who gives a fuck about twitter and who puts so much weight into what is said?

Re:Thank you

[Zerth]

As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

Re:Thank you

Seriously who gives a fuck about twitter and who puts so much weight into what is said?

Gee, I don't know...why don't you ask the HFT systems in the stock market what they think of a single tweet.

Believe me I'm with you, I wish Twitter had about as much weight as the average pointless post...but the simple fact is this behemoth is now part of our emergency notification and financial infrastructure. Don't fucking ask me how that shit happened. It just did. It's now on the "too big to fail" list.

But don't worry. It can't possibly get any worse...at least until the Bank of Facebook has it's grand opening...

Re:Thank you

As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

And what fucking moron decided it would be good for their stock market bot to monitor twitter?

Re:Thank you

or for there bots to be playing the market in the first place.

Re:Thank you

http://www.huffingtonpost.com/2013/04/23/twitter-flash-crash_n_3141311.html

The U.S. stock market crashed momentarily on Tuesday afternoon after the Associated Press' Twitter account was hacked and a hoax tweet was sent out that suggested explosions at the White House had injured President Barack Obama. The Dow Jones Industrial Average dropped about 150 points in a matter of seconds

Re:Thank you

As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

And what fucking moron decided it would be good for their stock market bot to monitor twitter?

The same kind of fucking moron who has always done that kind of shit with the markets. A greedy cocksucker. The kind that cannot profit fast enough.

Re:Thank you

[AmazingRuss]

A greedy STUPID cocksucker

Re:Thank you

[Sqr(twg)]

Somebody who's making a hundred times your annual salary, most likely.
There are two ways to get rich in the stock market:
1) Invest in stocks that are undervalued, then wait ten years until everybody else has figured out they were undervalued, and hope that nothing bad happens in the mean time.
2) Make the same (often stupid) move that everybody else is going to make, but faster.
The twitter-following trading bots are using the second strategy.

Re:Thank you

[peawormsworth]

And what fucking moron decided it would be good for their stock market bot to monitor twitter?

Its really very brilliant. If you know other bots are using twitter to make market bidding decisions, then your bot can use this knowledge to trick the other bots into doing your bidding. Its a bot eat bot world out there

Re:Thank you

[peawormsworth]

The same kind of fucking moron who has always done that kind of shit with the markets. A greedy cocksucker. The kind that cannot profit fast enough.

Well actually, the bots trading on the false twitter post could not lose money fast enough. They were the only ones quick enough to sell during the brief crash they created for themselves. The other bots that bought at the reduced rates where likely not following the twitter feeds.

Re:Thank you

Hack twitter how about this page?

Twitter + Gmail two-factor authentication

[Cutting_Crew]

My twitter account, like all my others(like banking etc) are tied to my various gmail accounts, which are also two-factor authenticated. So in order to change my password for example on my twitter account, you would need to hack into my twitter account then hack into my gmail account(password + 2-factor auth.) to check the email so that you can change the password.

I don't know if this makes it more difficult or if i should hold out.

Re:Twitter + Gmail two-factor authentication

[Nerdfest]

... or perhaps has a business, or works in an industry that uses Twitter frequently, or perhaps even friends.

Re:Twitter + Gmail two-factor authentication

In other words, a total loser. Any "business" that "needs" Twitter need a lot of help.

Re:Twitter + Gmail two-factor authentication

[Gaygirlie]

or perhaps even friends.

Pfft. Only hipsters got friends. Real nerds do not need such new-fangled humbug -- cold, hard electronics and the soothing back-light of a large LCD should be more than enough!

Re:Twitter + Gmail two-factor authentication

[Dishevel]

Jobless AC wisdom.
Awesome.

Re:Twitter + Gmail two-factor authentication

[KGIII]

Plus the smell of a musty basement and mom screaming down the stairs that dinner is ready.

Re: Twitter + Gmail two-factor authentication

MEATLOAF!

Re: Twitter + Gmail two-factor authentication

Meatloaf? Is Eisenhower back in office? I'll take microwave pizza, thanks.

It actually is a big deal

[TrumpetPower!]

The two-factor authentication is supposed to protect against a man-in-the-middle attack. The problem is that the verification response from the second factor goes back through the same already-compromised channel.

Imagine you're a sophisticated vilain in some backwater part of the world. You notice there's an AP reporter there doing some long-term investigative journalism, and said reporter likes to file his reports from a particular internet cafe.

You hack the cafe's wifi and somehow convince the reporter that his Twitter account has already been hacked -- say, by showing him a tweet in his name of something outrageous. The reporter, panicked, resets his account -- but does so through your fake Twitter authentication. You now capture both his password and the second factor sent through his text message; you now own his Twitter account.

And you now go ahead and actually send out some outrageous tweet as this particular reporter. Perhaps you pull off your attack while some very important person is visiting, and you report said person's assassination. You know this will crash the markets, and so you short all the proper stocks and make a killing...on the market.

Is it wise for people to have the trust they do in Twitter? Hell no. Do they have such trust anyway? Yes.

Which is why this is a big deal.

Cheers,

b&

Re:It actually is a big deal

What might be better would be moving to different authentication methods. Client certificates are almost foolproof, except they require them to be copied to each machine that they are to be used on.

There is always the OPIE or S/KEY method that one uses their password and a number, then generates a list of one time use passwords that can be printed out or used with an app. This is a completely offline method and the attacker would have to go after the Web cookie or the browser for successful authentication.

Re:It actually is a big deal

The two-factor authentication is supposed to protect against a man-in-the-middle attack.

This is a fundamental misunderstanding of the security model. The attack you describe should be obvious to anyone who took any time to think about it. Two-factor authentication does nothing against man-in-the-middle attacks or phishing attacks, it prevents replay attacks. That is, to attack 2FA, you need to do the attack in real time and don't get another chance to use the credentials latter (unless, as you describe, the attacker is able to change the password, but I've never encountered a system attempting to be at all secure that didn't send an e-mail about password changes).

The right thing to do would be for Twitter to get out of the way and let users login via OpenID so organizations like AP that need the security can secure their own OpenID servers however they like. Giving every AP reporter a smartcard that acts as their second factor to log into an AP-run OpenID server would be reasonable and protect from that attack, but it's not something Twitter has the ability to organize over a larger userbase.

Re:It actually is a big deal

[englishstudent]

You should be using a VPN over a public wifi network.

Re:It actually is a big deal

Multi-factor authentication is not about protecting against man in the middle. Multi-factor authentication is about verifying the authenticity of the user trying to access resources/applications/networks.

That "twitter exploit" video is really nothing new and the author looks like someone who just discovered the world isn't all that pretty and pink.

There are other ways of protecting against fake proxy, like image-based verification. But really, if you're stupid enough to fall for this trick, in 2014, you deserve it.

Re:It actually is a big deal

You guys havent understood it. This is not about what geeks do or could do. This is about providing sensible options for regular users.

Re:It actually is a big deal

Mod parent down, for not having a clue what s/he's talking about.

No, 2FA is not supposed to protect against MitM. Some versions of it might, but 2FA in and of itself isn't required to do that. It is only required that two factors of authentication be used:
* something you have
* something you know
* something you are

What 2FA *is* supposed to do is (a) provide greater assurance that a person is who they say they are, (b) make it harder to steal credentials, (c) make it easier to detect that credentials are stolen, and (d) address the inherent weaknesses of a particular factor by using a second factor (example: it's hard to know that you'r password has been stolen because you still have it, but your physical token suddenly dissappears and you'll probably notice).

2FA typically relies on cryptography - encrypted communication channels or challenge response protocols within the authentication protocol - to prevent MitM attacks. True, there is a circular relationship between doing this right to avoid MitM by knowing to whom you are speaking, but you can create a secure communication channel with 1FA. Just look at regular TLS for an example.

Let's ask the IT guy on the movie "Hackers"

[jennatalia]

Everything that happened in there is legit. He probably used some type of defense called Hawk to deal with Twitter hacks.

Re:Let's ask the IT guy on the movie "Hackers"

You won't be laughing when I sic my BlackICE on you!

This cant be stopped.

[140Mandak262Jamuna]

The fundamental problem here is that the user logs into a fake twitter site and gives the login credentials. Then gives the second factor authentication too. This scenario can not be protected against no matter how many factors you use. In fact if I keep logging into a fake google site and keep entering all the credentials how can google stop it?

Re:This cant be stopped.

Ya, looks like the company PCmag is talking about, Toopher, has a ridiculous solution. They track your location to determine your habits, and I assuming it's GPS so that it works anywhere since wifi pinpointing wouldn't be strong. Ya anybody with a brain could see the security in that. The hacker who messes with my Twitter or Facebook account will just do something stupid with it, nothing serious like track my movement.

In this case Toopher is worse than the hacker. Great job, genius.

Re:This cant be stopped.

use something like BofA's SiteKey challenge/response image

Re:This cant be stopped.

While it looks like its impossible to solve this, that is not the case. Here is how to do logins in a sane way: Use SRP ( https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol )

Here is how it defeats the basic fake front man in the middle: the result of the exchange is a shared secret: if it forwards the login challenge from the real service, it can't decrypt or alter the resulting session since it does not know the shared secret generated by the exchange.

For this to work, you need to never send the password you enter in the browsers. The browser must support some special SRP input field that you can tell apart from what ever a fake site may present. There are many ways to do this, types of popups that a site normally can't make or maybe using a secret color that matches something in the browser (say a lock icon like SSL uses) for the field background.

So, in short, I have solved the whole darn impossible problem with an existing standard crypto process, and a browser extension to use it. How did this not make it in HTML5? Really, its trivial, and would solve the entire password phishing problem, and multi-site password reuse problems, and drastically reduce the harm caused by leaking poorly designed backend password databases. It would also be really trivial for sites to use (easier than existing less safe solutions), easy for browsers to implement. Why can't we have this?

Oh, and just to be clear, In case there are any intellectual property issues here, I release any ideas herein which may be owned by me into the public domain. Someone please do this. Please!

Re:This cant be stopped.

That's wonderful. In fact, browsers have supported something like that for ages in the form of digest access authentication. The main catch is that the separate unfakeable UI for entering a password for digest auth is 100% identical to the UI for entering a password for basic auth (aka send the password in plain text) in all browsers. One tiny little tweak to the UI to differentiate the two would effectively get what you request. (Although while you're at it, you might as well try to get browsers to use a better algorithm as well.)

The problem, of course, is that practically no one uses digest auth. No idea why, but everyone decided typing passwords into a web page was a better idea. The password input form field in HTML is probably one of the worse UI decisions of all time.

Re:This cant be stopped.

Thanks for the info, I wasn't aware of that (I do no web dev at all, so I miss things). Its nice to see that most of the time I come up with a good idea it isn't new. Now if people would just start using the good ideas things would be much better!

You are right also right that it needs an algorithmic choice upgrade (to SRP I suggest), as well as fixing the unfakeability. You can't simply to a deterministic change to the appearance, since you could fake that (its just harder). What it really needs is an appearance that the attacker can not know such as a random color, or boarder that matches something somewhere else in the browser outside the site's control, like the url bar.

I'm gonna write up a nice article, and try and push it. Maybe something will happen, but I doubt it. I know some people at Google and Microsoft, maybe I can pull something.

Re:This cant be stopped.

[Ultracrepidarian]

BofA was so secure that when I tried to close my account they told me I was the wrong gender and born in the wrong year and refused to speak to me.

Re:This cant be stopped.

Ya, looks like the company PCmag is talking about, Toopher, has a ridiculous solution. They track your location to determine your habits, and I assuming it's GPS so that it works anywhere since wifi pinpointing wouldn't be strong. Ya anybody with a brain could see the security in that. The hacker who messes with my Twitter or Facebook account will just do something stupid with it, nothing serious like track my movement.

In this case Toopher is worse than the hacker. Great job, genius.

Is "ya" an English word now?

Lawn Sign Analogy Is Good

This happens in Facebook and is encourage by Facebook all the time !

How is this different from Google's 2-factor auth?

How is this different from Google's 2-factor authentication?

A similar solution works very well, no GPS

[raymorris]

I'm not familiar with Toopher specifically, but the general idea works quite well. We've been doing it for fifteen years.
I always post on Slashdot using a small Android phone in Bryan, TX, and my ISP is Suddenlink. I've posted on Slashdot hundreds, if not thousands of times. 20 minutes after I make this post from here in Bryan, if someone claiming to me tries to log in using an iphone in Canada, that's guaranteed to be bogus. That's a simple, obvious, and common example.

Now take that same general idea and apply fifteen years of R&D and real world experience. You can catch most unauthorized login attempts. If you do any late night surfing, on sites like GirlsGoneWild.com, you may have noticed half of those sites say "protected by Strongbox". They do that because it works.

Re:A similar solution works very well, no GPS

What kind of location information are using? There's GPS and location by wifi. Neither works well for desktops. IP address is the obvious solution. I believe google uses it. There's also fingerprinting. IP address and fingerprinting would be just as effective without the location information. Toopher might use the same information including GPS. GPS is just too invasive. Wifi is not very acurate.

No need to outsource this kind of work to a company unless they have some special proprietary algorithm that's better than what you can cook up in-house.

Re:A similar solution works very well, no GPS

[raymorris]

There are at least two other ways of getting location data leveraging standard protocols (no special software needed on the client.

> There's GPS and location by wif works well for desktops. IP address is
> the obvious solution. I believe google us also fingerprinting. IP address and fingerprinting
> would be just as effective without the location information.

IP without location isn't nearly as effective, especially with mobiles, but also with desktops. IPs change.
When you power cycle your cable modem, you'll likely get a different IP address. We can still tell you're in the correct neighborhood, so it probably really is you.

> No need to outsource this kind of work to a company unless they have some special proprietary algorithm that's better than what you can cook up in-house.

it's easy to get this wrong. We've specialized in this for 15 years and still continue to make improvements and corrections. Your error above thinking that location doesn't add anything beyond IP address is an example that there is more to it than you might think. There are at least three different actions you need to take for different types of proxies. We've analyzed hundreds of millions of login attempts and still we don't have it down pat, there's more work to do.

How is this different from Google's 2-step auth?

How is this different from Google's 2-step auth? I think both work basically in the same way.

Single Factor is Best

[VortexCortex]

Anything more than a Single Factor is useless for security. Two Factors means it's certainly not a prime!

Re:Single Factor is Best

[viperidaenz]

3 factors are better!

Re:Single Factor is Best

Good Luck! I'm behind seven factors!

Idiot proof security

"You can't make anything idiot proof because idiots are so ingenious"

TOTP would solve the parallel access problem

[kju]

Instead of using some custom two-factor authentication which is bound to a specific phone, they should use TOTP (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm). Then the same shared secret could be configured into several token generators (e.g. Google Authenticator on Android).

TOTP seems to become the standard for two-factor authentication, given that both Facebook and Google use this (Facebook provides its own limited code generator with their App) and also quite a few other significant services (e.g. Dropbox, Amazon AWS).

Google also provides a pam module for TOTP which allows one to setup TOTP for own services. I tried that yesterday: Installed the PAM module and added a key into Google Authenticator. Result: TOTP secured SSH login (by using normal account password with the token appended). TOTP support can also be added to non-PAM capable applications, for example a TOTP extension for Mediawiki exists. I tried that one as well and it is working great.

Google Authenticator App allows one to configure more than one account, so you can secure different services with TOTP and still have one central token generator App.

Hack fail.

[viperidaenz]

It's the users fault for entering their credentials in a fake site. There should be SSL when you enter your password on twitter. That means there should be a verification icon in the URL bar with "Twitter, Inc [US]" on it.

Re:Hack fail.

[aaronb1138]

Unfortunately, most users still can't think to consider such a simple step. Most browsers now offer to cache login credentials. What the browsers should really do with the heuristics which detect a login prompt is add a warning that the credentials are being entered into a site without SSL or with a mismatched certificate. Certificate exceptions should of course be easy to store as they are now, after a one time prompt.

Re:Hack fail.

The site itself should also prove to the user that it is indeed what it is.
One of my online banks shows a user selected picture with code phrase to "prove" who they are after the login/password before the usual question/answer set. While this does not get around man-in-the-middle attack, but it should cut down on phishing.

My other bank does not and the person at the bank was so bad at security that it is not even funny. I gave up when she failed to understand why I want the bank site to proof to me that they are my bank part and she remark of my computer sending **** as password.

these password stories again

[CoralSyks]

You don't need N-factor authentication to be secure, the problem is most companies implented half a-- 1 factor to begin with, and instead of fixing their authentication decide to implement half a-- 2 factor authentication. If you don't do it correctly it doesn't matter how many factors you think are cool in meeting rooms

No DID?

[msk]

None of these organizations have direct inward dialing?

How far behind the times are they?