Why Twitter Can't Even Protect Tech CEOs From Getting Hacked (buzzfeed.com)

← Back to Stories (view on slashdot.org)

Why Twitter Can't Even Protect Tech CEOs From Getting Hacked (buzzfeed.com)

Posted by msmash on Friday July 1, 2016 @02:00AM from the security-woes dept.

Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked? BuzzFeed dives deep into the problem, and says it's how Twitter interacts with third-party apps that's at fault. From the article:Over the past several weeks, however, a three-person hacking team called OurMine has made clear that years after the problem first came to light, third-party authentication is still a security nightmare for Twitter. By gaining access to apps with third-party write access, OurMine has been able to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick. In other words, whichever write-authorized app connected to your Twitter is least secure is exactly how secure your Twitter account is. [...] The public nature of Twitter, whose main point is to share information as quickly and widely as possible, has made these attacks a much bigger issue for Jack Dorsey's company than they are for Facebook. And there's very little Twitter can do to solve the problem that doesn't defeat the incentives for third-party writing privileges in the first place: Speed and functionality. Adding layers of security -- like an extra login -- to access Twitter through a third-party app defeats the purpose of speedy cross-platform sharing. And disabling third-party writing would anger developers and hurt engagement, a cost Twitter probably isn't willing to bear.

61 comments

Min score:

Reason:

Sort:

Can't Protect People From Their Own Stipidity by Anonymous Coward · 2016-07-01 02:03 · Score: 0

And it only gets worse the further up you go. Those who can't do get promoted.
1. Re:Can't Protect People From Their Own Stipidity by Anonymous Coward · 2016-07-01 02:16 · Score: 0
  
  Stipidity
  Or their own typing
2. Re:Can't Protect People From Their Own Stipidity by smooth+wombat · 2016-07-01 04:30 · Score: 1
  
  Those who can't do get promoted.
  
  Apparently neither can those who claim they can do.
  
  Which leads to the question, is it better to overpay someone who can't do but at least they're out of the way and not screwing up things, or to overpay someone who claims to be a doer yet continually screws up?
  
  From the near daily reports of developers who leave these gaping holes in software, then try to blame someone else for the problem, it seems the answer is clear.
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
3. Re:Can't Protect People From Their Own Stipidity by Anonymous+Cow+Ward · 2016-07-01 06:15 · Score: 1
  
  Stipidity indeed.
  
  --
  Examine even your most deeply held beliefs. Nobody is always right.
Why not create an invisible VIP-account class by codemaster2b · 2016-07-01 02:04 · Score: 5, Interesting

While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.

--
And over there we have the labyrinth guards. One always lies, one always tells the truth, and one stabs people who ask t
1. Re:Why not create an invisible VIP-account class by Anonymous Coward · 2016-07-01 02:30 · Score: 0
  
  While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.
  *Extra* steps for VIPs, such as CEOs?
  You're new to IT, aren't you?
2. Re:Why not create an invisible VIP-account class by houghi · 2016-07-01 02:53 · Score: 1
  
  If that where possible, why would you not do that for all the others?
  
  --
  Don't fight for your country, if your country does not fight for you.
3. Re:Why not create an invisible VIP-account class by Anonymous Coward · 2016-07-01 03:05 · Score: 0
  
  disabling third-party writing would anger developers and hurt engagement
  In other words, Twitter can easily and quickly fix the problem but they don't want to because . . . . inconvenience
  Once again, convenience trumps security.
4. Re:Why not create an invisible VIP-account class by mlts · 2016-07-01 03:13 · Score: 1
  
  Maybe an option to turn all additional API stuff off, except for the web page? Facebook allows people to disable the third party app API platform.
5. Re:Why not create an invisible VIP-account class by EvilSS · 2016-07-01 03:47 · Score: 2
  
  While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.
  That would have made no difference here however, since it wasn't Twitter but another application connected to Twitter that was compromised. They used the compromised application, which had been granted read/write access to their Twitter accounts by the account holders, to post tweets to their Twitter feeds.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
6. Re:Why not create an invisible VIP-account class by Anonymous Coward · 2016-07-01 04:04 · Score: 0
  
  Zuckerberg could be "peasant", Kalanick could have a "gentry" account, and Pichai would be flagged as "royalty". You and me would have to make do with "serf" status. Is that what you had in mind?
7. Re:Why not create an invisible VIP-account class by tepples · 2016-07-01 04:41 · Score: 1
  
  Could Twitter periodically ask users to revoke write privileges of apps with read/write access that haven't used a write call in 30 days?
8. Re:Why not create an invisible VIP-account class by Rakarra · 2016-07-01 04:53 · Score: 2
  
  Once again, convenience trumps security.
  There is a lot of power to convenience. It's the user experience, which is what the application is most supposed to facilitate.
  An application that is totally secure and totally inconvenient is not very useful for the average person.
9. Re:Why not create an invisible VIP-account class by nitehawk214 · 2016-07-01 05:01 · Score: 0
  
  Because you plebs don't deserve security. If someone hacks your account, posts as you, and tries to ruin your life... Twitter and social media companies simply do not care.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
10. Re: Why not create an invisible VIP-account class by Anonymous Coward · 2016-07-01 07:41 · Score: 0
  
  How is 2FA inconvenient. I don't understand, download the duo(or any other) app and link it. Easy pEezy. GG boys.
Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 02:06 · Score: -1, Troll

Do any average or normal people actually use Twitter? I'm talking about the people you see out and about on any given day.
Now maybe I'm wrong, but as I understand it there are three main groups of people who use Twitter on an ongoing basis:
1. Marketers (including tech company execs promoting their companies)
2. Extreme leftists (including ISIS)
3. Hackers (trying to exploit the above two groups)
None of these are considered "normal" or "average" people, and they're actually quite small groups in term of size.
Does Twitter have any relevance to the majority of people?
1. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 02:38 · Score: 0
  
  Only apps twitter apps appy apps! Twitter is for cows! Twits say MOO!
  
  Now, what was your question again? Oh, some drivel about leftists using twitter? So, the marketers is spot on, the hackers is spot on. The rest - leftists -shows ignorance. The other group is the media. All sorts of media. Self promoters, people trying to find the news so they can "report" on it. Etc.
  
  Now back to our regularly scheduled program. A HOSTS file can protect you from twitter and apps and cows!
  
  -APK
2. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 02:40 · Score: 0
  
  You seem very confused. Why would you call ISIS leftists, when they're toxic religious fanatics with a fascist agenda - much like our own right-wing lunatics, and why didn't you mention the right-wing simpletons who spew hate all day using tags like #REDNATIONRISING, #TGDN, and #TCOT. It seems like every Conservative who has gone insane from propaganda is constantly announcing how far gone they are on Twitter, and how much they hate anyone outside their hoax-media-driven cult.
  
  I suspect that you're one of the right-wing crazies.
3. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 02:49 · Score: 0
  
  Why did you prefix some of your words with a #?
4. Re:Do any normal people use Twitter? by MobileTatsu-NJG · 2016-07-01 03:59 · Score: 2
  
  This troll was pretty weak, I doubt someone with a mod-point fell for it. Sockpuppet account.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
5. Re: Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 04:15 · Score: 0
  
  To a right winger everything bad is 'leftist'. I know multiple idiots who think Hitler was a leftist despite his corporation worshipping, union busting, executing, you know, leftists, and also of course declaring war on the Soviet Union which by the was just a thuggish dictatorship but at least nominally leftist. But none of that matters. To them, Hitler bad and bad equals leftist no matter the actual ideaology.
  It's kind of like how they decry somewhat paranoid tactics on the part of actual left leaning national rulers while ignoring the absolute proven fact that anybody even the least anti crony capitalist and especially God forbid, nationalist, is attacked economically and otherwise by the US and our henchmen who work to undermine, sanction, assassinate, whatever it takes. They never notice the US always props up right wing murderous dictators without regard for the wishes or even the needs of the people in the countries we meddle with. The only qualification to being a US ally is the willingness to surrender your nation's sovereignty and resources to multinational corporations, and the willingness to use whatever means necessary to quell dissent when your people decide they don't like that behavior.
6. Re:Do any normal people use Twitter? by retroworks · 2016-07-01 04:34 · Score: 2
  
  Yes. Twitter is an excellent networking tool. The best way to use it is through the "search" box at the top right. Just now I typed in "Utah 3d Printer" https://twitter.com/search?q=U... and found stories about a Utah surgery and find https://3dprint.com/139265/bea... a story about use of 3d printers to use CAT scans to print a copy of her kidney, revealing the hidden tumor. If I was in Utah and involved in 3d printing, I'd now have a list of users who "tweeted" the story and some of them might likely become part of a useful network. I have actual examples as well where it has been of tremendous usefulness to me.
  I see you aren't making much use of your @AnonymousCoward handle. For sure, there are many people on Twitter who don't know how to make most effective use of it... perhaps proportional to the internet community at large.
  
  --
  Gently reply
7. Re:Do any normal people use Twitter? by Rakarra · 2016-07-01 04:55 · Score: 1
  
  Lol. ISIS is "left wing."
8. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 05:09 · Score: 0
  
  He said 'normal people' not 'people involved in 3d printing'
9. Re:Do any normal people use Twitter? by Sir_Eptishous · 2016-07-01 05:38 · Score: 1
  
  1. Marketers (including tech company execs promoting their companies)
  2. Extreme leftists (including ISIS)
  3. Hackers (trying to exploit the above two groups)
  4. LUDDITES
  
  --
  We play the game with the bravery of being out of range
10. Re:Do any normal people use Twitter? by Sir_Eptishous · 2016-07-01 05:40 · Score: 2
  
  Thats the thing no one gets.
  They've been fighting all this time for universal health care, pre-K school for low income families and a clean water/air.
  
  --
  We play the game with the bravery of being out of range
11. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 05:52 · Score: 0
  
  That's changing. I'm generally an early adopter, and haven't gotten into 3D printing because I have no real use for it, but you know it's headed for the mainstream when Mattel is going to sell a 3D printer for kids.
  
  http://www.thingmaker.com/printer/
12. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 05:59 · Score: 0
  
  That claim isn't really surprising if you realize that the Conservative alternate-reality crowd actually believes that Hitler was a "leftist," and sees science as a "leftist conspiracy" to undermine religion.
  
  A whole subculture has gone insane from a hate-driven, exclusionary variant of Christianity, and propaganda from kook blogs, hate-radio, and Fox. They now believe that anyone outside their media-driven cult is out to get them, and reject all accurate information because it threatens a worldview where ignorant Conservatives are noble warriors against the tricksy leftists. Their delusions would be a private matter, but they vote for imbeciles like Louie Gohmert, and Trump, so they put us all in danger.
13. Re: Do any normal people use Twitter? by kaatochacha · 2016-07-01 06:30 · Score: 1
  
  IF you go far enough left and far enough right, the two circle around, meet, and become surprisingly similar.
14. Re: Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 07:43 · Score: 0
  
  Venn diagram?
15. Re:Do any normal people use Twitter? by Anonymous Coward · 2016-07-01 09:03 · Score: 0
  
  A HOSTS file can protect you from twitter and apps and cows!
  But not niggers.
16. Re: Do any normal people use Twitter? by knorthern+knight · 2016-07-02 07:06 · Score: 1
  
  > To a right winger everything bad is 'leftist'. I know multiple idiots who think
  > Hitler was a leftist despite his corporation worshipping, union busting, executing,
  > you know, leftists, and also of course declaring war on the Soviet Union which by the
  > was just a thuggish dictatorship but at least nominally leftist. But none of that
  > matters. To them, Hitler bad and bad equals leftist no matter the actual ideaology.
  Hitler was the leader of the NSDAP. The full name was "Nationalsozialistische Deutsche Arbeiterpartei" https://en.wikipedia.org/wiki/..., i.e. "National Socialist German Workers Party". Part of Hitler's election campaign consisted of nationalizing banks, etc. Since the party's name was rather long for lazy English speakers, it was abreviated to the first 2 syllables of the German name, pronounced like "nat-zi".
  
  --
  
  I'm not repeating myself
  I'm an X window user; I'm an ex-Windows user
cuz teh haxxy haxx0rz dey b haxxin!!1! by Anonymous Coward · 2016-07-01 02:07 · Score: 0

rilly guise, u r needin an artikal 4 dat?
Source code audit 3rd parties! by Anonymous Coward · 2016-07-01 02:11 · Score: 0

Require third parties to be audited (by automation of SCA) before allowing usage.
Provide better secure by default libraries for them to reuse.
Well, going by the name, it is for TWITS by Anonymous Coward · 2016-07-01 02:19 · Score: 0

so what would you expect?
Apps! by Anonymous Coward · 2016-07-01 02:26 · Score: 0

Came for the Apps! meme, and was sadly disappointed.
1. Re:Apps! by Anonymous Coward · 2016-07-01 03:17 · Score: 0
  
  These are simply apps apping other apps so you can app apps while apping apps! Nothing wrong with that, unless you're a LUDDITE who is too stupid to app an app and can only use LUDDITE software!
  Apps!
2. Re:Apps! by Sir_Eptishous · 2016-07-01 05:42 · Score: 1
  
  Thats because that Apps meme isn't the "regular" Apps meme guy who does it.
  /. should just hire him to do a full time Apps meme thread.
  
  It would be more entertaining than most of the useless banter on here...
  
  --
  We play the game with the bravery of being out of range
3. Re:Apps! by Anonymous Coward · 2016-07-01 06:02 · Score: 0
  
  Bravo!
The question is by The-Ixian · 2016-07-01 02:30 · Score: 2

Do people expect that CEOs have some magical power or distinction that make them somehow less vulnerable to hacks?
I would expect that, because of celebrity status, they would be hacked more than other people, not less.

--
My eyes reflect the stars and a smile lights up my face.
1. Re:The question is by Anonymous Coward · 2016-07-01 03:25 · Score: 0
  
  Do people expect that CEOs have some magical power or distinction that make them somehow less vulnerable to hacks?
  Yes.
  Next question.
2. Re:The question is by Anonymous Coward · 2016-07-01 06:22 · Score: 0
  
  People assume that those high in power, wealth, and status have merits higher than the general population and thus accomplish superior things like better security.
  They are wrong.
  Doesn't help matters that CEOs trumpet that myth every waking moment they can.
There is a verified account badge by tepples · 2016-07-01 02:45 · Score: 2

Twitter already has a VIP badge, currently displayed as a white checkmark on a blue eight-lobed shape. Occasionally the loss of this badge
What you recommend amounts to requiring all verified accounts to use 2-factor authentication. But that'll be impractical until Twitter starts allowing second factors other than SMS, such as TOTP (e.g. Google Authenticator) or a U2F key. As of the last time I checked, a single phone line could be associated with only one account. Trying to use a single phone line as the second factor for both your personal account and the business account that you manage produces an error message: "The phone number you gave us [...] is currently used by another Twitter account. Only one account can be used with a mobile phone at a time."
Has this changed?
I expect its something like this by swb · 2016-07-01 02:57 · Score: 3, Insightful

PR Manager: CEO Bob needs a twitter account. Can you set that up for him?
PR Intern: You got it. OK, here's the account and password.
CEO Bob: Hey, I need to get the twitter account on my phone and tablet.
PR Manager: OK, we can add them.
PR Intern: We need to change the password on CEO Bob's twitter account.
PR Manager: We can't, he's in Davos/Aspen/St. Bart's and he won't know how to log back in.
Hacked CEO Bob on Twitter: I suck! My company is a fraud!
Hashtags explained by tepples · 2016-07-01 03:14 · Score: 0

Why did you prefix some of your words with a #?
On Twitter, a word beginning with # is a hashtag. A hashtag is displayed as a link to a page of search results for other recent Tweets containing the same hashtag. Users use hashtags to group Tweets by subject.
Then revoke all the apps you don't use by tepples · 2016-07-01 03:16 · Score: 2

Maybe an option to turn all additional API stuff off, except for the web page?
To revoke the access of a third-party application, open the Apps pane of your account settings.
Client side SSL certificates? by Anonymous Coward · 2016-07-01 03:41 · Score: 0

Why aren't we using more client side SSL certificates, these could be issued by Twitter or something for their purposes. Why are passwords still being used?
Why are passwords being stored unencrypted still?
What is wrong with all of the stupid people who write shitty code like this?
1. Re:Client side SSL certificates? by dgatwood · 2016-07-01 05:53 · Score: 2
  
  Why aren't we using more client side SSL certificates, these could be issued by Twitter or something for their purposes. Why are passwords still being used?
  It wouldn't matter whether a third party had access to a password or a client cert; they'd still have access to the account. Passwords are only bad because of keyloggers and guessability. When neither of those two is involved in the hack, there's no benefit to using certs.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
How to not "get hacked" on Twitter, 3 easy steps by Cajun+Hell · 2016-07-01 03:54 · Score: 3, Insightful

1) Think about why you post to Twitter. (Are you reaching anyone? If there actually is someone, is this the only way you can reach them? Is this an easy or convenient way to communicate? Does it help you express your ideas?)
2) Draw a total blank. Stare into space a while. Make sure. (Hmm.. nope, still nothing.)
3) Delete account.
Twitter is one of the dumbest and least-useful ideas ever. Even Facebook is a good idea, a model of interactivity and convenient expression and dialog, compared to Twitter.

--
"Believe me!" -- Donald Trump
"A little more equal" by hyades1 · 2016-07-01 04:10 · Score: 3, Insightful

There's an in-built assumption here that goes to the heart of the whole privacy debate: that people like Zuckerberg and Pichai deserve a higher standard of protection than the rest of us from having their private information accessed by people who may not have their best interests at heart.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:"A little more equal" by Anonymous Coward · 2016-07-01 07:54 · Score: 0
  
  There's an in-built assumption here that goes to the heart of the whole privacy debate: that people like Zuckerberg and Pichai deserve a higher standard of protection than the rest of us from having their private information accessed by people who may not have their best interests at heart.
  The more power you have, whether it's financial, political or any other sort, the less privacy you should have. If you can't justify your decisions and choices, including any mistakes you've made, then you shouldn't have the power in the first place.
2. Re:"A little more equal" by hyades1 · 2016-07-01 17:30 · Score: 1
  
  That's a very interesting thought. It's one of the more interesting ways I've heard to hold people with power to account.
  
  --
  I've calculated my velocity with such exquisite precision that I have no idea where I am.
Including high-profile names? by fahrbot-bot · 2016-07-01 04:19 · Score: 3, Insightful

Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked?

What does a person's status have anything to do with the ability for his/her Twitter account getting hacked? Passwords and/or protocols are either weak or not and don't play favorites based on a person's status.

--
It must have been something you assimilated. . . .
Stupid Security by Anonymous Coward · 2016-07-01 04:26 · Score: 0

Nobody builds a bank vault with a wooden back door.
This particular bank vault has a wooden back door and several broken windows.
Client certs are a usability nightmare by tepples · 2016-07-01 05:39 · Score: 2

Probably because the present user interface for managing client certificates stored on a machine is horrible. See BrowserAuth.net's writeup and my writeup, which suggests a couple fixes.
Re:How to not "get hacked" on Twitter, 3 easy step by Anonymous Coward · 2016-07-01 06:03 · Score: 2, Funny

Young adults (and kids) are using twitter a lot more than over-40s. This isn't because the older generation is falling behind on the tech curve. This is because twitter is fucking stupid, and the kids haven't figured that out yet
Twitter is mostly just a hate machine by Anonymous Coward · 2016-07-01 06:18 · Score: 0

If you're a professional celebrity (i.e. a person famous simply for being famous, and not for any other quality or achievement) it makes sense to have a constant feed of babble to your devotees. You have to stay in the spotlight and not let it wander off to people with actual talents or skills.
For anyone else, why would you want to interact with a functionally impoverished, insecure communication medium that is optimized for propagating hate speech?
When all else fails.. by Anonymous Coward · 2016-07-01 07:19 · Score: 0

Drop the service until the host takes a big enough hit on the user base to force them to make it a higher priority to fix the problem. Granted I know for some this not much of an option, however, if something is broken it can be fixed. It's all a matter of urgency. This is one of the reasons why I dumped my twitter accounts until something changes.
Obvious question by RockDoctor · 2016-07-01 09:45 · Score: 1

... well, obvious to me, anyway.

In other words, whichever write-authorized app connected to your Twitter is least secure is exactly how secure your Twitter account is.
So, does anyone keep a list of Twitter-connected apps (there is something other than logging on through the website?), and their relative security strengths?

--
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Incentives by CanadianMacFan · 2016-07-01 10:42 · Score: 1

Exactly what are the incentives for some of these CEOs to prevent their accounts from being hacked? How does it look bad if the CEO of Facebook or Google if their Twitter account is hacked? They can just point out that it wasn't their company's platform being breached.
Re:How to not "get hacked" on Twitter, 3 easy step by ultranova · 2016-07-01 22:01 · Score: 1

Does it help you express your ideas?

Twitter isn't for expressing ideas, Twitter is for posting news, some of general interest, some not. Twitter's popular for that precisely because it's not possible to post long rants there, and because condensed stupidity tends to at least be quotable.
Twitter is a "sensory stream", not thought stream.

--
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.