Major Security Flaw Exposes Twitter Accounts

Twitter has acknowledged that a bug in its code allowed malicious actors to link accounts with email addresses registered to them, possibly disclosing the identity of their users.

The company late last week revealed the flaw and apologized for the inconvenience stating the issue was remedied immediately.

The vulnerability in Twitter’s handling of unsuccessful log-in attempts was exploited. When a user entered the incorrect password, Twitter used to do one of two things when they attempted to log in using an email address or phone number:

• Inform the user that they entered the wrong password
• Display the Twitter account linked to the specified email or phone number (if any exist)

This implied that users of fictitious accounts might have had their identities revealed.

In this post, we will be discussing what exactly happened with Twitter and how you can protect yourself from cyber-criminal.

Also, check out our blog from last week where we talk about Malware hitting millions of android users and the Top 5 Apps You Need to Uninstall Right Now.

What Happened?

Countless apps are exposing Twitter’s API keys, giving hackers access to fully take control of those accounts and use them for identity theft or other forms of online fraud.

The information was discovered by cybersecurity experts CloudSEK, who found 3,207 mobile apps leaking both legitimate Consumer Keys and Consumer Secrets for the Twitter API.

Numerous mobile applications have interacted with Twitter, which enables those applications to carry out specific tasks on behalf of users. Consumer Keys and Secrets are combined with the Twitter API to complete the integration. The apps may enable threat actors to tweet things, write and read direct conversations, or do something similar by leaking this kind of data.

A threat actor could theoretically gather an “army” of Twitter endpoints and use them to tweet, retweet, direct message, as well as participate in other methods to spread a fraud or malware campaign.

Millions of Downloads

According to the researchers, the questioned apps include radio tuners, e-banking, city transportation, and similar sites, each receiving between fifty-thousand and five-million downloads.

In other words, there’s a good chance that millions of Twitter accounts are in danger as we speak.

All app owners/creators have been informed, but the majority have done nothing to fix the problem—nor even admit to the public that they have been informed of the issue. According to reports, Ford Motors was one of the businesses that quickly addressed the error with its Ford Events app.

The list of suspected apps won’t be made public until other apps address their problems.

Researchers also noted that mistakes made during the development of apps frequently lead to API leaks. Developers occasionally forget to remove authentication keys after embedding them in the Twitter API.

Protected Harbor advises developers to employ API key rotation, which would eventually make exposed keys invalid, to stop these leaks.

Final Words

In today’s technological landscape, you must take the proper steps to protect yourself and your family. Keep track of the latest scams and what you can do to keep yourself safe from cyber-criminals. If you feel you have been the victim of a scam, report it immediately.

Experts from Protected Harbor recommend that you:

• Stay informed about the latest threats and vulnerabilities and keep your software up to date.
• Don’t click on links from suspicious emails,
• Don’t download apps from untrusted websites.
• Change your passwords regularly.
• Use a VPN when using public Wi-Fi.
• Uninstall any and all harmful apps immediately.
• Think before you allow any app permission or access to your files.
• Enable 2FA (2-Factor Authentication).
• Use trusted anti-virus software.

Stay vigilant, keep your privacy settings high, and you can keep your accounts secure.

We are giving away a free IT Audit for a limited time. Contact us today for one. Stay updated with the latest news with our blogs and other resources, and keep a keen eye on your social media accounts. Stay Safe![/vc_column_text][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row]

How did Twitter get hacked?

On July 15^th many Twitter accounts were compromised.  How did this happen to a company like Twitter?

‘This was the worst social media hack ever happened in history’

The security involvement of the hack are also wide-reaching, not just for Twitter but for other social platforms.

Early suggestions are the hackers managed to access administration privileges, which allowed them to bypass the passwords of any account they wanted.

Twitter appeared to confirm this in a tweet saying: “We detected what we believe to be a co-ordinated social-engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

As we generate more content online we are creating a larger digital footprint.  These attackers simply contacted Twitter and asked for the names of key personal, the head of the customer service, their CIO, etc.  Once the attackers knew the identity of key individuals they then researched their web pages, Facebook links, LinkedIn profiles, etc.

The attackers were able to gain enough information from those pages to be able to correctly answer Twitter’s support questions and gain access to those accounts.

Once the attackers had access to an Admin account they could reset end-user accounts and then login as those users.  It was that easy.

Some questions that should be asked; What would have helped prevent this disaster?  Is your system(s) vulnerable to a similar attack?   How can your system(s) be protected?

2FA or Two Factor Authentication would have stopped this attack.  With 2FA the mobile device is registered to the account and the login is not possible until a code on the mobile device is entered.

At Protected Harbor we support 2FA for all systems, allowing our customers to be safe, secure, and protected, as in Protected Harbor.