I agree with you. If my account is secured with a password that (presumably) is stored and encrypted in a manner where only I know the password and I have 2fa to further protect my account but even one person could possibly perform actions with my account without possessing these, is it really secure? No, it is not.
The fact that this was even possible shows that in no way did Twitter take securing their application seriously.
Where is told that they can direct gain access to a account? I haven't seen the news recently but I think that the delete of the post is something that can be mande by the moderators.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
Additionally,
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.
Based on this, they either have internal tools that allow their employees direct access to individual accounts without the need to authenticate with the account credentials or lax security protocols in place that allow an employee to hijack an account credential reset without the owner having any knowledge (which is just as bad, if not worse).
Thanks, I haven't read that yet. This is really concerning, I don't know why a employee has permission to get control in a user account. It's good that is a social media, but if this is a enterprise website...
Agreed. I think that's the ultimate lesson learned from this attack. The weakest link in your security is always the human; do not allow the tools you create to exploit this weakness any more than is necessary.
It'll be interesting to see how this plays out for them over the next few days/weeks.
So the lesson (or one of the lessons) is that their internal tools and their internal employees had way too many and powerful permissions granted to them. Oh and (I saw this mentioned somewhere else) an internal employee doing something security/privacy sensitive should not be allowed to perform that task alone, there should always be someone else looking over their shoulder (4 eyes principle).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I agree with you. If my account is secured with a password that (presumably) is stored and encrypted in a manner where only I know the password and I have 2fa to further protect my account but even one person could possibly perform actions with my account without possessing these, is it really secure? No, it is not.
The fact that this was even possible shows that in no way did Twitter take securing their application seriously.
Where is told that they can direct gain access to a account? I haven't seen the news recently but I think that the delete of the post is something that can be mande by the moderators.
Twitter said this directly in their posts following up from the ongoing investigation.
twitter.com/TwitterSupport/status/...
Additionally,
Based on this, they either have internal tools that allow their employees direct access to individual accounts without the need to authenticate with the account credentials or lax security protocols in place that allow an employee to hijack an account credential reset without the owner having any knowledge (which is just as bad, if not worse).
Thanks, I haven't read that yet. This is really concerning, I don't know why a employee has permission to get control in a user account. It's good that is a social media, but if this is a enterprise website...
Agreed. I think that's the ultimate lesson learned from this attack. The weakest link in your security is always the human; do not allow the tools you create to exploit this weakness any more than is necessary.
It'll be interesting to see how this plays out for them over the next few days/weeks.
So the lesson (or one of the lessons) is that their internal tools and their internal employees had way too many and powerful permissions granted to them. Oh and (I saw this mentioned somewhere else) an internal employee doing something security/privacy sensitive should not be allowed to perform that task alone, there should always be someone else looking over their shoulder (4 eyes principle).