Political tensions between Turkey and the Netherlands spilled over onto Twitter earlier today as a number of high-profile accounts were hacked, apparently through the third-party app Twitter Counter. IT security experts from Proofpoint, Positive Technologies , NuData Security, DomainTools, Tripwire, AlienVault and ESET commented below.
Dan Nadir, Vice President Digital Risk Products at Proofpoint:
“Today’s widespread Twitter compromises shine a light on the complexity of securing third-party apps attached to corporate and personal social media accounts. For example, not only do busy media accounts have multiple dozens of admins on both Twitter accounts and Facebook pages, they also connect and authorize multiple other applications to create, publish, and communicate content choosing from an ecosystem of more than 20,000 unique apps. In fact, across the multiple thousands of Twitter accounts and Facebook pages that Proofpoint protects for its media and large brand customers, there are an average of 10 unique apps used on Twitter and six on Facebook used to create content and communicate content. Busy media companies can have as many as 35 different apps authorized on a single Twitter account. Our recommendation is that social media account holders complete an immediate assessment of all third-party apps attached to their accounts.
The complexity and the high rate of activity on those corporate accounts makes it difficult to find a compromise until it is too late. Outside of just the content being posted, we see up to 50 changes a day around apps authorized, admins added, descriptions and pictures changed on busy media and brand accounts. Once a compromise happens, the initial embarrassing content posted is the most visible item, but it is really just the beginning of the pain. A busy Twitter account can send up to 400,000 direct, private messages to followers and other admins per month. Once compromised, the organization has to assess if other admins and even customers have been compromised In addition, they need to determine if those credentials are the same credentials used for other enterprise applications and access.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“This Twitter hack was possible because of third party service Twitter Counter, and this is not the first case when third party apps are used to steal access to social network accounts. Users should understand that those multiple apps asking for their social network access are not controlled by the social networks. And these third party apps themselves don’t guarantee security: many of them are created by small startups.
“Thus, in most cases, connecting your Twitter or Facebook account to such services is like to give your passport to a perfect stranger. Social network users have to control these apps by their own. You’d better not connect your account to new services from untrusted sources, and disconnect them when you don’t really need them.”
Robert Capps, VP of Business Development at NuData Security:
“Hacking the personal Twitter accounts of celebrities and brands for geopolitical advantage is a disturbing twist and escalation in cyber warfare. This hack appears to be coming from a zero-day vulnerability in a third-party app called Twitter Counter. Aside from the political message in this attack, we should be concerned about it because hacking Twitter accounts is akin to making a puppet out of the celebrity or affected brand. In the long term, I doubt these brands will experience much lasting harm if the situation is remedied quickly, but in the short term, the coverage that these attackers obtained by the hack is considerable.
If Twitter were a country, it would be the 12th largest in the world with over 100 million users logging in daily, and continually growing. The size of its membership and its capacity as a live media source of information make it an attractive and vulnerable target for account takeovers. By hijacking accounts, bad actors have access the audiences of celebrities and brands with thousands of followers, and can also leverage hashtags and lists to push that reach further. It’s a reminder for everyone to use unique strong passwords on every site, and consider using a password manager like 1Password or LastPass for easy generation of strong, unique passwords, as well as storage and encryption of these passwords.”
Tim Helming, Director, Product Management at DomainTools:
“This event points out two unfortunate things: one, the rise of hate speech across the globe and the Internet; and two, the risks inherent in linking systems that have elevated privilege access. In this case, the fact that a third-party app had full access to the Twitter account meant that the Twitter account’s security was only as strong as the third-party app’s. Users need to constantly weigh the advantage of connecting disparate applications with the risks that go along with it, and to apply a least-privilege approach in all cases.”
Dwayne Melancon, CTO at Tripwire:
“When you think of Twitter account security, there are aspects you control directly, such as your own security settings, and there are security risks you “inherit” from any app you’ve authorized to access your Twitter account. Many of these apps are given access for good reasons such as collecting account stats, tweeting on a specific schedule for you, managing groups of users on a shared Twitter account, etc. However, once they have access to your account, these 3rd party apps can do just about anything you can do, without having to log in again. It is a good idea, particularly for high-profile accounts, to set a periodic reminder to review the list of apps authorized to access your Twitter account to make sure that list is as short as possible, and that you remove any apps that aren’t critical to your life, brand, or business.
Once you have a handle on the list of authorized apps, you can further increase security with Twitter’s “Login Verification” security feature, which would help prevent most of the account hijacking incidents we’ve seen. This setting, available through the “Settings & Privacy” section in your Twitter account, requires you to enter a passcode from a text message that Twitter sends you when you log into your account. It requires extra effort, so that may be the main reason accounts aren’t using it, but for high profile accounts, this is a viable option.
In addition to these precautions, there are a few other things mere mortals can do to protect their Twitter accounts, such as using long passwords that don’t contain dictionary words; and periodically changing your Twitter password.”
Tim Erlin, Sr. Director, Product Management at Tripwire:
“The more connected and integrated services become, the more every app has a supply chain to protect. In this case, it wasn’t Twitter that was compromised directly, but a third party app that integrates with the messaging platform.
Users should think about connected apps as part of their personal attack surface. The more apps that have access to your Twitter, Facebook and other social media accounts, the more doors there are for attackers to try. Regularly reviewing connected apps can help keep that attack surface to a minimum.”
Javvad Malik, Security Advocate at AlienVault:
“It appears as if the Twitter accounts were compromised via a third party service called Twitter Counter. The incident illustrates the need for security throughout the supply chain. Users should be wary as to which services they allow access to write to their Twitter accounts. It can be all too easy to allow permissions and subsequently forget that they were ever granted. The specific danger that third parties present is that even if users have secured their account properly and enabled two-step authentication, it offers no protection.
With more online services being inter-connected through social media, it becomes imperative that users are careful in what permissions are granted to apps, and regularly review whether permissions are still needed.
Enterprises should be mindful that these types of attacks are not just limited to individuals, rather corporate services can be compromised in the same way – with far greater consequences.”
Mark James, Security Specialist at ESET:
“One of the problems with these types of “hacks” is the perception of who has actually been hacked. In this case, our first impressions is Twitter but in fact a third party tool was compromised that has the ability or permission to post to Twitter on your behalf. With so many add-ons and extensions for social media there are hundreds of these types of apps available to add little features or additions to our software. Sadly, the companies that spend huge amounts of money keeping your data safe and secure are at risk when something like this happens. We should always review which services have our permission to take action on our social media accounts on a regular basis.
“For Twitter, this can be done on their website. Head to “Profile and Settings” and choose “Settings and Privacy” then select “Apps”. If you have associated any services you will see them listed here with an option to “Revoke Access” as a tab to click. One of the nice things here is seeing when it was approved, so you could determine if it’s still valid and if not remove it. If you make a mistake you can always click the “Undo Revoke Access” button to put it right. While you’re at it why not check Facebook as well – go to the Facebook website and choose “Settings” from your profile, select “Apps” and review what does and does not have access to your data and profile.”