Why Twitter Can't Even Protect Tech CEOs From Getting Hacked

Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked? BuzzFeed dives deep into the problem, and says it's how Twitter interacts with third-party apps that's at fault. From the article:Over the past several weeks, however, a three-person hacking team called OurMine has made clear that years after the problem first came to light, third-party authentication is still a security nightmare for Twitter. By gaining access to apps with third-party write access, OurMine has been able to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick. In other words, whichever write-authorized app connected to your Twitter is least secure is exactly how secure your Twitter account is. [...] The public nature of Twitter, whose main point is to share information as quickly and widely as possible, has made these attacks a much bigger issue for Jack Dorsey's company than they are for Facebook. And there's very little Twitter can do to solve the problem that doesn't defeat the incentives for third-party writing privileges in the first place: Speed and functionality. Adding layers of security -- like an extra login -- to access Twitter through a third-party app defeats the purpose of speedy cross-platform sharing. And disabling third-party writing would anger developers and hurt engagement, a cost Twitter probably isn't willing to bear.

Why not create an invisible VIP-account class

[codemaster2b]

While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.

Re:Why not create an invisible VIP-account class

[EvilSS]

While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.

That would have made no difference here however, since it wasn't Twitter but another application connected to Twitter that was compromised. They used the compromised application, which had been granted read/write access to their Twitter accounts by the account holders, to post tweets to their Twitter feeds.

Re:Why not create an invisible VIP-account class

[Rakarra]

Once again, convenience trumps security.

There is a lot of power to convenience. It's the user experience, which is what the application is most supposed to facilitate.
An application that is totally secure and totally inconvenient is not very useful for the average person.

The question is

[The-Ixian]

Do people expect that CEOs have some magical power or distinction that make them somehow less vulnerable to hacks?

I would expect that, because of celebrity status, they would be hacked more than other people, not less.

There is a verified account badge

[tepples]

Twitter already has a VIP badge, currently displayed as a white checkmark on a blue eight-lobed shape. Occasionally the loss of this badge

What you recommend amounts to requiring all verified accounts to use 2-factor authentication. But that'll be impractical until Twitter starts allowing second factors other than SMS, such as TOTP (e.g. Google Authenticator) or a U2F key. As of the last time I checked, a single phone line could be associated with only one account. Trying to use a single phone line as the second factor for both your personal account and the business account that you manage produces an error message: "The phone number you gave us [...] is currently used by another Twitter account. Only one account can be used with a mobile phone at a time."

Has this changed?

I expect its something like this

[swb]

PR Manager: CEO Bob needs a twitter account. Can you set that up for him?

PR Intern: You got it. OK, here's the account and password.

CEO Bob: Hey, I need to get the twitter account on my phone and tablet.

PR Manager: OK, we can add them.

PR Intern: We need to change the password on CEO Bob's twitter account.

PR Manager: We can't, he's in Davos/Aspen/St. Bart's and he won't know how to log back in.

Hacked CEO Bob on Twitter: I suck! My company is a fraud!

Then revoke all the apps you don't use

[tepples]

Maybe an option to turn all additional API stuff off, except for the web page?

To revoke the access of a third-party application, open the Apps pane of your account settings.

How to not "get hacked" on Twitter, 3 easy steps

[Cajun+Hell]

1) Think about why you post to Twitter. (Are you reaching anyone? If there actually is someone, is this the only way you can reach them? Is this an easy or convenient way to communicate? Does it help you express your ideas?)

2) Draw a total blank. Stare into space a while. Make sure. (Hmm.. nope, still nothing.)

3) Delete account.

Twitter is one of the dumbest and least-useful ideas ever. Even Facebook is a good idea, a model of interactivity and convenient expression and dialog, compared to Twitter.

Re:Do any normal people use Twitter?

[MobileTatsu-NJG]

This troll was pretty weak, I doubt someone with a mod-point fell for it. Sockpuppet account.

"A little more equal"

[hyades1]

There's an in-built assumption here that goes to the heart of the whole privacy debate: that people like Zuckerberg and Pichai deserve a higher standard of protection than the rest of us from having their private information accessed by people who may not have their best interests at heart.

Including high-profile names?

[fahrbot-bot]

Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked?

What does a person's status have anything to do with the ability for his/her Twitter account getting hacked? Passwords and/or protocols are either weak or not and don't play favorites based on a person's status.

Re:Do any normal people use Twitter?

[retroworks]

Yes. Twitter is an excellent networking tool. The best way to use it is through the "search" box at the top right. Just now I typed in "Utah 3d Printer" https://twitter.com/search?q=U... and found stories about a Utah surgery and find https://3dprint.com/139265/bea... a story about use of 3d printers to use CAT scans to print a copy of her kidney, revealing the hidden tumor. If I was in Utah and involved in 3d printing, I'd now have a list of users who "tweeted" the story and some of them might likely become part of a useful network. I have actual examples as well where it has been of tremendous usefulness to me.

I see you aren't making much use of your @AnonymousCoward handle. For sure, there are many people on Twitter who don't know how to make most effective use of it... perhaps proportional to the internet community at large.

Client certs are a usability nightmare

[tepples]

Probably because the present user interface for managing client certificates stored on a machine is horrible. See BrowserAuth.net's writeup and my writeup, which suggests a couple fixes.

Re:Do any normal people use Twitter?

[Sir_Eptishous]

Thats the thing no one gets.
They've been fighting all this time for universal health care, pre-K school for low income families and a clean water/air.

Re:Client side SSL certificates?

[dgatwood]

Why aren't we using more client side SSL certificates, these could be issued by Twitter or something for their purposes. Why are passwords still being used?

It wouldn't matter whether a third party had access to a password or a client cert; they'd still have access to the account. Passwords are only bad because of keyloggers and guessability. When neither of those two is involved in the hack, there's no benefit to using certs.

Re:How to not "get hacked" on Twitter, 3 easy step

Young adults (and kids) are using twitter a lot more than over-40s. This isn't because the older generation is falling behind on the tech curve. This is because twitter is fucking stupid, and the kids haven't figured that out yet