undefined | Better HN

0 pointsneurostimulant5y ago0 comments

With so many accounts compromised, the hackers might actually have full access to Twitter's backend. The postmortem would be very interesting. I'll be looking forward to it.

Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

0 comments

49 comments · 21 top-level

byteshock5y ago· 8 in thread

If they had full access to Twitter’s backend, they probably would be tweeting from accounts like @POTUS or @jack. But this seems like they have access to limited accounts. Most likely gained access to a third party service that allows you to manage your tweets?

Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.

Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.

Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!

benlumen5y ago

You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.

2 more replies

Pmop5y ago

I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.

1 more reply

bollu5y ago

Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

Are you implying that this was tweeted by the attackers? or something else?

1 more reply

VectorLock5y ago

The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`

Especially after the last insider account tampering event.

mlinsey5y ago

I do think it's odd that so many prominent accounts were hit but not Trump's. I remember there was an incident a couple years ago that a trust and safety employee at Twitter suspended Trump's account on their last day. It's very likely that after that incident, special guards were set in place to prevent admin tools from messing with Trump's account. This would align with speculation that this hack targeted an internal employee admin tool.

Krasnol5y ago

Maybe they're POTUS fans ;)

tathougies5y ago

If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno

1 more reply

jmkni5y ago

Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.

2 more replies

vmception5y ago· 4 in thread

probably a social media manager api keys

celticninja5y ago

I can't see that bill gates, Elon musk and every cryptocurrency channel using the same manager. This looks like something closer to a Twitter hack than an intermediary, especially with the the reposting after deletion.

kristofferR5y ago

No way, it's way too widepread and would be shut down by now.

Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.

1 more reply

neurostimulantOP5y ago

But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.

1 more reply

MattGaiser5y ago

Do that many accounts use the same social media manager?

2 more replies

kerng5y ago· 3 in thread

Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.

Also begs the question, who is liable in such cases....

Scoundreller5y ago

Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).

Geee5y ago

Maybe a popular browser extension? Would explain why it seems to target tech people.

CleanCoder5y ago

Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.

2 more replies

ChuckMcM5y ago· 2 in thread

It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.

ChuckMcM5y ago

And now this : A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.

From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

neurostimulantOP5y ago

Hmm, how much money this scam would potentially generates? I think the salary of an engineer working on twitter would be higher given how fast this scam would be shut down. Would a twitter employee risk their career to this scam?

4 more replies

zelly5y ago· 2 in thread

There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.

sleepybrett5y ago

If they did, they would be running the self hosted option.

suzzer995y ago

That twitter buildspec.yml must be HUGE!

whoisjuan5y ago· 2 in thread

And it seems that it's still compromised. Tweets get deleted and then they re-appear.

Narretz5y ago

30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.

1 more reply

slezyr5y ago

> All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!

> Only doing this for the next 30 minutes! Enjoy.

No, it's hacker's doing, they need to keep timestamps updated

kyleee5y ago· 2 in thread

boy I sure hope we get a juicy post mortem, this is quite a scam

misnome5y ago

I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.

tornato75y ago

Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope

benlumen5y ago· 1 in thread

Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.

It could be SQL injection writing tweets directly to the database for all we know.

I agree with everyone else saying the site should be pulled. Incredibly sketchy.

VectorLock5y ago

Write through caches would need to send the tweets through the normal channels for them to 'fan out' instead of writing directly to MySQL. But essentially what you're saying about possible backend compromise.

granzymes5y ago· 1 in thread

Twitter almost certainly self-hosts GitHub, no?

one2know5y ago

Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.

2 more replies

brentm5y ago· 1 in thread

I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.

Darkphibre5y ago

I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.

ragerino5y ago· 1 in thread

It seems like the devs at Twitter are clueless, how this happened.

The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.

ragerino5y ago

Just saw this https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

Means they had someone inside Twitter.

lqet5y ago· 1 in thread

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Is Twitter really using GitHub internally (even self-hosted)?

boarnoah5y ago

Is there even a self hosted Github? AFAIK there is no public offering of the sort.

5 more replies

jacquesm5y ago

It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.

rvz5y ago

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.

Its still on going as we type.

kelnos5y ago

> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.

Sebb7675y ago

I'm just glad the fallout from this isn't nuclear, to be honest.

libraryatnight5y ago

and yet lots of technical type Twitter personalities tweeting like each individual user got popped. "OMG THEY GOT MR BEAST!" No, they got twitter. I mean its possible, we do not know, but this "They GOT so and so" thing is annoying at this point.

maps75y ago

Why can twitter staff tweet under people's accounts? How does that make sense?

gsich5y ago

Selfhost. If you rely on Github for your service you are rightfully doomed.

gowld5y ago

Twitter depends on GitHub?

sidcool5y ago

Is the root cause and attack vector known?

j / k navigate · click thread line to collapse

0 comments

49 comments · 21 top-level

byteshock5y ago· 8 in thread

Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.

Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!

benlumen5y ago

You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.

2 more replies

Pmop5y ago

I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.

1 more reply

bollu5y ago

Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

Are you implying that this was tweeted by the attackers? or something else?

1 more reply

VectorLock5y ago

The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`

Especially after the last insider account tampering event.

mlinsey5y ago

Krasnol5y ago

Maybe they're POTUS fans ;)

tathougies5y ago

If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno

1 more reply

jmkni5y ago

Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.

2 more replies

vmception5y ago· 4 in thread

probably a social media manager api keys

celticninja5y ago

kristofferR5y ago

No way, it's way too widepread and would be shut down by now.

Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.

1 more reply

neurostimulantOP5y ago

But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.

1 more reply

MattGaiser5y ago

Do that many accounts use the same social media manager?

2 more replies

kerng5y ago· 3 in thread

Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.

Also begs the question, who is liable in such cases....

Scoundreller5y ago

Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).

Geee5y ago

Maybe a popular browser extension? Would explain why it seems to target tech people.

CleanCoder5y ago

Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.

2 more replies

ChuckMcM5y ago· 2 in thread

It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.

ChuckMcM5y ago

From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

neurostimulantOP5y ago

4 more replies

zelly5y ago· 2 in thread

There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.

sleepybrett5y ago

If they did, they would be running the self hosted option.

suzzer995y ago

That twitter buildspec.yml must be HUGE!

whoisjuan5y ago· 2 in thread

And it seems that it's still compromised. Tweets get deleted and then they re-appear.

Narretz5y ago

30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.

1 more reply

slezyr5y ago

> All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!

> Only doing this for the next 30 minutes! Enjoy.

No, it's hacker's doing, they need to keep timestamps updated

kyleee5y ago· 2 in thread

boy I sure hope we get a juicy post mortem, this is quite a scam

misnome5y ago

I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.

tornato75y ago

Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope

benlumen5y ago· 1 in thread

Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.

It could be SQL injection writing tweets directly to the database for all we know.

I agree with everyone else saying the site should be pulled. Incredibly sketchy.

VectorLock5y ago

granzymes5y ago· 1 in thread

Twitter almost certainly self-hosts GitHub, no?

one2know5y ago

Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.

2 more replies

brentm5y ago· 1 in thread

I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.

Darkphibre5y ago

I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.

ragerino5y ago· 1 in thread

It seems like the devs at Twitter are clueless, how this happened.

The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.

ragerino5y ago

Just saw this https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

Means they had someone inside Twitter.

lqet5y ago· 1 in thread

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Is Twitter really using GitHub internally (even self-hosted)?

boarnoah5y ago

Is there even a self hosted Github? AFAIK there is no public offering of the sort.

5 more replies

jacquesm5y ago

It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.

rvz5y ago

> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.

Its still on going as we type.

kelnos5y ago

> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.

Sebb7675y ago

I'm just glad the fallout from this isn't nuclear, to be honest.

libraryatnight5y ago

maps75y ago

Why can twitter staff tweet under people's accounts? How does that make sense?

gsich5y ago

Selfhost. If you rely on Github for your service you are rightfully doomed.

gowld5y ago

Twitter depends on GitHub?

sidcool5y ago

Is the root cause and attack vector known?

j / k navigate · click thread line to collapse