Crypto industry leaders provide a commentary on the recent Twitter hack.
Twitter Hack: Attackers Gained Access To God Mode
Konstantin Richter, CEO of Blockdaemon, commented:
Qualivian Investment Partners Up 30% YTD; Long ORLY Thesis
Qualivian Investment Partners commentary for the second quarter ended July 30, 2020. Q2 2020 hedge fund letters, conferences and more “Short-term investors will accept a 20% gain because they didn’t spend the time to develop the conviction and foresight to see the next 500%.” - Ian Cassell Executive Summary Readers of investment letters fall into Read More
“Twitter has become one of the most widely used communication tools and sources of breaking news. Looking at who was hacked -- famous verified users that are very active on Twitter and the fact that they had two-factor authentication (2FA) enabled, presents questions around defeating 2FA without some kind of access to internal systems. Cryptocurrency scammers that are looking to make cash fast should be a warning beacon to other hackers that could do a lot more damage with more drastic consequences.
It is speculated that the hacker(s) gained access to the so-called “God Mode” system used to administer Twitter accounts on the platform. The access could have been through a platform exploit or a social engineering attack on a Twitter employee. Either way, it's clear that building secure software systems is a challenge, and developers and system owners need to be hyper aware that the systems they build may be used for malicious intent due to bugs, social engineering hacks or rogue employees. It's of the utmost importance that these systems have strict access controls and are thoroughly audited for potential vulnerabilities.
Many crypto scams circulate on social channels but are spotted easily because they appear to be spam. Since the industry is still in its infancy, many can be tricked because they want to participate. Since this scam hit a wider audience that may not be as familiar with cryptocurrency through verified twitter users, it was more believable.
Seeing how widespread and high profile scam was, the damage was relatively small compared to what kind of chaos could be unleashed. With pending presidential elections less than 4 months away, a pandemic with many unknowns, and tensions increasing in various regions, it is vital that Twitter set up additional security measures, and also publicly share a breakdown of what happened to assure users and prevent it from happening again.
One of the preventative measures Twitter deployed during the hack resolution was restricting the ability to tweet from specific high profile accounts. This action raises the concern that at any point Twitter has the ability to silence an individual account. It once again shows us that we do not truly own our profiles and “God Mode” features show us that employees may have access to the data that we own. “De-platforming” or silencing an account is a real threat and it further shows that we need the ability to take control of our online identity, data and voice. Decentralised systems are the best shot we have at achieving this.”
Twitter Hack Has Nothing To Do With The Bitcoin Elicited
“In my opinion, the Twitter hack and resulting scam likely had nothing to do with the Bitcoin elicited. The high profile tweets were more likely a distraction from something on a larger scale -- mass data theft for example. It was quite obvious early on that this wasn’t a targeted sim swap or API type hack, and many of the verified users that were targeted would likely have strong Operations Security (OPSEC) enabled.
It was always more likely to be a zero-day attack or internal access exploit from someone within Twitter, the latter now being confirmed as the source by Twitter. This hack further reinforces the case for migrating to Nemlog or Hive’s blockchain-powered social platforms and using messaging apps like Signal as opposed to the less secure centralized counterparts that have admin backdoors with control over their users. Centralised systems with a single failure point will continue to be exploited again to the detriment of its users. ‘Not your keys, not your account’ applies as equally to your data as it does to your funds.”