Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Hack Twitter's Two-Factor Authentication

Posted by timothy on from the there-can-be-only-one-or-two-or-whatever dept.

An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."

14 of 58 comments (clear)

  1. worse problem? by mcmonkey · · Score: 4, Insightful

    the problem is worse than that, a lot worse

    Problem? Worse? This is twitter we're talking about right?

    If sending an unencrypted email is like sending a postcard (kids, ask your parents) in pencil, twitter is like a sign you stick in your lawn.

    Anyone can drive by and stick a sign in your lawn, make it look like you support any cause, or take any sign you've put out.

    Now if people put undue weight to those signs, it they swing the markets, then the issue--the problem--is people who don't know the difference between reliable and unreliable sources.

    The problem isn't twitter, it's employees in the media and so-called journalists who'd rather sit on their bum checking their cell phone than go out and do their job.

  2. Re:Thank you by Zerth · · Score: 5, Insightful

    As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

  3. It actually is a big deal by TrumpetPower! · · Score: 4, Interesting

    The two-factor authentication is supposed to protect against a man-in-the-middle attack. The problem is that the verification response from the second factor goes back through the same already-compromised channel.

    Imagine you're a sophisticated vilain in some backwater part of the world. You notice there's an AP reporter there doing some long-term investigative journalism, and said reporter likes to file his reports from a particular internet cafe.

    You hack the cafe's wifi and somehow convince the reporter that his Twitter account has already been hacked -- say, by showing him a tweet in his name of something outrageous. The reporter, panicked, resets his account -- but does so through your fake Twitter authentication. You now capture both his password and the second factor sent through his text message; you now own his Twitter account.

    And you now go ahead and actually send out some outrageous tweet as this particular reporter. Perhaps you pull off your attack while some very important person is visiting, and you report said person's assassination. You know this will crash the markets, and so you short all the proper stocks and make a killing...on the market.

    Is it wise for people to have the trust they do in Twitter? Hell no. Do they have such trust anyway? Yes.

    Which is why this is a big deal.

    Cheers,

    b&

    --
    All but God can prove this sentence true.
  4. This cant be stopped. by 140Mandak262Jamuna · · Score: 4, Insightful

    The fundamental problem here is that the user logs into a fake twitter site and gives the login credentials. Then gives the second factor authentication too. This scenario can not be protected against no matter how many factors you use. In fact if I keep logging into a fake google site and keep entering all the credentials how can google stop it?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  5. Re:Twitter + Gmail two-factor authentication by Nerdfest · · Score: 2

    ... or perhaps has a business, or works in an industry that uses Twitter frequently, or perhaps even friends.

  6. A similar solution works very well, no GPS by raymorris · · Score: 3, Insightful

    I'm not familiar with Toopher specifically, but the general idea works quite well. We've been doing it for fifteen years.
    I always post on Slashdot using a small Android phone in Bryan, TX, and my ISP is Suddenlink. I've posted on Slashdot hundreds, if not thousands of times. 20 minutes after I make this post from here in Bryan, if someone claiming to me tries to log in using an iphone in Canada, that's guaranteed to be bogus. That's a simple, obvious, and common example.

    Now take that same general idea and apply fifteen years of R&D and real world experience. You can catch most unauthorized login attempts. If you do any late night surfing, on sites like GirlsGoneWild.com, you may have noticed half of those sites say "protected by Strongbox". They do that because it works.

    1. Re:A similar solution works very well, no GPS by raymorris · · Score: 2

      There are at least two other ways of getting location data leveraging standard protocols (no special software needed on the client.

      > There's GPS and location by wif works well for desktops. IP address is
      > the obvious solution. I believe google us also fingerprinting. IP address and fingerprinting
      > would be just as effective without the location information.

      IP without location isn't nearly as effective, especially with mobiles, but also with desktops. IPs change.
      When you power cycle your cable modem, you'll likely get a different IP address. We can still tell you're in the correct neighborhood, so it probably really is you.

      > No need to outsource this kind of work to a company unless they have some special proprietary algorithm that's better than what you can cook up in-house.

      it's easy to get this wrong. We've specialized in this for 15 years and still continue to make improvements and corrections. Your error above thinking that location doesn't add anything beyond IP address is an example that there is more to it than you might think. There are at least three different actions you need to take for different types of proxies. We've analyzed hundreds of millions of login attempts and still we don't have it down pat, there's more work to do.

  7. Single Factor is Best by VortexCortex · · Score: 4, Funny

    Anything more than a Single Factor is useless for security. Two Factors means it's certainly not a prime!

  8. Re:Thank you by Anonymous Coward · · Score: 5, Informative
    http://www.huffingtonpost.com/2013/04/23/twitter-flash-crash_n_3141311.html

    The U.S. stock market crashed momentarily on Tuesday afternoon after the Associated Press' Twitter account was hacked and a hoax tweet was sent out that suggested explosions at the White House had injured President Barack Obama. The Dow Jones Industrial Average dropped about 150 points in a matter of seconds

  9. Re:Twitter + Gmail two-factor authentication by Gaygirlie · · Score: 2

    or perhaps even friends.

    Pfft. Only hipsters got friends. Real nerds do not need such new-fangled humbug -- cold, hard electronics and the soothing back-light of a large LCD should be more than enough!

  10. TOTP would solve the parallel access problem by kju · · Score: 4, Informative

    Instead of using some custom two-factor authentication which is bound to a specific phone, they should use TOTP (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm). Then the same shared secret could be configured into several token generators (e.g. Google Authenticator on Android).

    TOTP seems to become the standard for two-factor authentication, given that both Facebook and Google use this (Facebook provides its own limited code generator with their App) and also quite a few other significant services (e.g. Dropbox, Amazon AWS).

    Google also provides a pam module for TOTP which allows one to setup TOTP for own services. I tried that yesterday: Installed the PAM module and added a key into Google Authenticator. Result: TOTP secured SSH login (by using normal account password with the token appended). TOTP support can also be added to non-PAM capable applications, for example a TOTP extension for Mediawiki exists. I tried that one as well and it is working great.

    Google Authenticator App allows one to configure more than one account, so you can secure different services with TOTP and still have one central token generator App.

  11. Re:Thank you by Sqr(twg) · · Score: 2

    Somebody who's making a hundred times your annual salary, most likely.
    There are two ways to get rich in the stock market:
    1) Invest in stocks that are undervalued, then wait ten years until everybody else has figured out they were undervalued, and hope that nothing bad happens in the mean time.
    2) Make the same (often stupid) move that everybody else is going to make, but faster.
    The twitter-following trading bots are using the second strategy.

  12. Re:Twitter + Gmail two-factor authentication by Dishevel · · Score: 2

    Jobless AC wisdom.
    Awesome.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  13. Re:Hack fail. by aaronb1138 · · Score: 2

    Unfortunately, most users still can't think to consider such a simple step. Most browsers now offer to cache login credentials. What the browsers should really do with the heuristics which detect a login prompt is add a warning that the credentials are being entered into a site without SSL or with a mismatched certificate. Certificate exceptions should of course be easy to store as they are now, after a one time prompt.