I Wonder

I wonder if we’ll find out that the twitter hack was an exploit based on stealing credentials using google voice services to capture SMS authentication codes. Probably not; that would be too serendipitous.


Joe Biden, Elon Musk, Jeff Bezos and other high-profile Twitter account holders were the targets of a widespread hack to offer fake bitcoin deals on Wednesday in one of the most pronounced security breaches on a social media site.

One of the things that always worries me about that sort of system is that they can be susceptible to offline attacks. Any place where there is an authentication loop that is rate-limited or controlled for brute-force attacks is semi-OK but sometimes you can find an “oracle” for authentication: something that gives you a yes/no answer without a delay or lock-out.

The best example of an offline attack is when someone is able to steal a password file containing the cryptographic hashes of the passwords. The attacker can bypass the whole login: process and just generate millions of hashes per second until they get a hit. That’s just a simple example; there are optimizations that can be made which make brute-force searching much faster. One possibility is that someone at Twitter really really fucked up and password hashes left the building.

Another example of an offline attack using an oracle goes back to the 80s (I don’t like to reveal details of current attacks) Sun Microsystems had a remote procedure call system that included an authentication model – you could invoke the API to “log in” and perform a password check that returned thumbs up or thumbs down, but it didn’t log errors or lock users’ accounts for failed attempts. It was not anywhere near as fast as hash table matching, but it was possible to test millions of passwords/day as long as no system administrator noticed that rpc.statd was gobbling an unusual amount of CPU.

Since the attack was sudden, and targeted several (what, a couple dozen?) users, it would not be the result of a slow brute-force attack; it has to be a bug in the authentication system, or an offline attack.

Right now, you can bet there is a conference room somewhere at Twitter, where a small team of expensive consultants (I probably know half of them) are burning ye olde midnitte oile, trying to figure out what happened.

Interestingly, only a smallish number of people appear to have fallen for it – about $70,000 worth of bitcoin was transferred to the wallet the attackers specified. If I’m right about what I believe about bitcoin, the retro-scope is already taking apart the attackers’ pasts and zeroing in on their present location. They forgot one of the rules: the bigger they come, the harder they hit.

------ divider ------

Twitter is not a production system! It is not and never was designed to be a messaging system for heads of state and corporate management. It evolved that way, into a mission it was not designed to accomplish; mistakes are to be expected.

“ye olde midnitte oile” – wind is an alternative. There is going to be a lot of wind blowing around this one.

When all the dust settles there will be stories told about what happened; I’ll report on what’s made public.


  1. Dunc says

    When all the dust settles there will be stories told about what happened;

    And some of them might even be true!

    apparently this was an offline attack where some Russians paid a (then) current Twitter employee to help them from the inside

    Eminently plausible. I’m reminded of the distinction between SIGINT and HUMINT – here in “the west”, we build massive systems to intercept, decrypt, store, and data-mine as large a proportion of the total communications on the planet as possible in the hope of turning up useful nuggets of information, whilst regimes with fewer resources to throw at the problem get diplomats and military officers drunk in bars. (According to Craig Murray, who should know these things, a surprising amount of “intelligence” work consists of simply buying people drinks and getting them talking…)

  2. says

    This appears to be the story:

    The hackers gained access to Twitter’s administrative interface. That gives a good idea how well-designed their security architecture is – typically bad. Back in the day security people used to recommend that admin interfaces be accessible only to VPN clusters or isolated enclaves, so that the entire interface could be audited or even shut down in an emergency. It sounds like Twitter’s playing whack-a-mole with root moles; that’s expensive, time-consuming, and stupid.

    Good example of why you need to design your control plane so it’s out of band.

    Aaaahh, you kids get offa my lawn!!

  3. says

    Krebs’ coverage is usually pretty accurate and well-informed:

    Attackers changed email address of target, so that SMS authentication updates went to a different place:

    Lucky225 said that just before 2 p.m. EDT on Wednesday, he received a password reset confirmation code via Google Voice for the @6 Twitter account. Lucky said he’d previously disabled SMS notifications as a means of receiving multi-factor codes from Twitter, opting instead to have one-time codes generated by a mobile authentication app.

Leave a Reply