I wonder if we’ll find out that the twitter hack was an exploit based on stealing credentials using google voice services to capture SMS authentication codes. Probably not; that would be too serendipitous.

[wapo]

Joe Biden, Elon Musk, Jeff Bezos and other high-profile Twitter account holders were the targets of a widespread hack to offer fake bitcoin deals on Wednesday in one of the most pronounced security breaches on a social media site.

One of the things that always worries me about that sort of system is that they can be susceptible to offline attacks. Any place where there is an authentication loop that is rate-limited or controlled for brute-force attacks is semi-OK but sometimes you can find an “oracle” for authentication: something that gives you a yes/no answer without a delay or lock-out.

The best example of an offline attack is when someone is able to steal a password file containing the cryptographic hashes of the passwords. The attacker can bypass the whole login: process and just generate millions of hashes per second until they get a hit. That’s just a simple example; there are optimizations that can be made which make brute-force searching much faster. One possibility is that someone at Twitter really really fucked up and password hashes left the building.

Another example of an offline attack using an oracle goes back to the 80s (I don’t like to reveal details of current attacks) Sun Microsystems had a remote procedure call system that included an authentication model – you could invoke the API to “log in” and perform a password check that returned thumbs up or thumbs down, but it didn’t log errors or lock users’ accounts for failed attempts. It was not anywhere near as fast as hash table matching, but it was possible to test millions of passwords/day as long as no system administrator noticed that rpc.statd was gobbling an unusual amount of CPU.

Since the attack was sudden, and targeted several (what, a couple dozen?) users, it would not be the result of a slow brute-force attack; it has to be a bug in the authentication system, or an offline attack.

Right now, you can bet there is a conference room somewhere at Twitter, where a small team of expensive consultants (I probably know half of them) are burning ye olde midnitte oile, trying to figure out what happened.

Interestingly, only a smallish number of people appear to have fallen for it – about $70,000 worth of bitcoin was transferred to the wallet the attackers specified. If I’m right about what I believe about bitcoin, the retro-scope is already taking apart the attackers’ pasts and zeroing in on their present location. They forgot one of the rules: the bigger they come, the harder they hit.

Twitter is not a production system! It is not and never was designed to be a messaging system for heads of state and corporate management. It evolved that way, into a mission it was not designed to accomplish; mistakes are to be expected.

“ye olde midnitte oile” – wind is an alternative. There is going to be a lot of wind blowing around this one.

When all the dust settles there will be stories told about what happened; I’ll report on what’s made public.