What Twitter’s $116K Hack Tells Us About Privacy
Early morning 16th July, I bumped into Jeff Bezos’ Twitter account. I didn’t follow him, so I thought it might be fake.
But the blue tick told me it was legit.
Was Twitter being attacked? Apparently, it was.
Just 2 days ago, a video covertly suggesting Vitalik Buterin (Ethereum founder) giving away ETH tokens in return of deposits had appeared in my YouTube feed.
I was almost lured to earn an airdrop.
As for the Twitter hack, the fact that an attack could compromise world’s most influential people and organizations made me lose my sleep.
The World of Privacy is No Longer the Same:
It is increasingly becoming frequent to hear about user account breaches. The purpose of most such breaches is a demonstration of hackers’ prowess, not any damage to their data victims. Sometimes they are sold for small fortunes.
But then there are hacks that involve cloud providers and government systems: recent Twitter BTC attack, NHS hack by WannaCry, AWS hacking, Pentagon Hack, and hacking of Azure — these hacks could also facilitate intricate corporate espionage and geopolitical rivalry between nations.
Imagine Trump’s Twitter without special protection, and hackers posting an announcement of a nuclear war.
When such hacks happen, they can cripple huge systems. They affect physical delivery of vital products and services to millions of people worldwide. Many a times, the effect is much more sinister than is visible to media.
And I think: The world of privacy is no longer the same.
It has been the same all along. It is only that its cumulative effects are increasingly being witnessed during the last decade.
But it has been the same all along. It is only that its cumulative effects are increasingly being witnessed during the last decade. Reasons?
- Amount of user data is exponentially larger,
- The way it is stored and handled by megaliths has changed very little.
Here we discuss factors that boost the likelihood of such breaches:
E-Mail As An Identity Tool Needs To Be Retired
When you enter John Doe’s email and password, you claim to know his email and password. It doesn’t prove you are John Doe.
If you are John Doe, you have Alzheimers, and forget your email and password, it doesn’t change the fact that you are indeed John Doe associated with that email.
Those are the inherent shortcomings of internet identity systems, almost past 3 decades.
Most breaches exploit email, not just because an email account can be easily hacked and used to retrieve user’s password using Reset Password mechanism.
The primary reason email is the weakest link is because it acts as a key to user data in back-end systems.
Despite having unique IDs (UUID) to refer to their internal records, most back-ends employ APIs that allow access to resources based on user’s email account. The primary intention behind this is to support customer care executives to look up a customer’s account.
To the uninitiated: An API is a gateway to user data. It is essentially the code that runs on server to process user data. What you see on a webpage past logging into a social network (or any other web based service, even an app) is the data that API provides. API sits on the server, often within cloud.
Every API is guarded by a user token, a complex crypto-graphical key issued by server after supplying an email / phone number + password.
Apart from web page, data provided by an API can be also be seen using other tools — most famous being cURL and PostMan. Not only hackers are masters of such tools — they are also good at hiding themselves in doing so.
And as far as this hiding part is concerned, layman knows much about it too: It is nowadays quite common to use IP spoofing / VPN tools to utilize cross-border services including Amazon Prime, Netflix or even Facebook (for people residing in China).
True, that every API is guarded by a user token, a complex crypto-graphical key issued by server after supplying an email / phone number + password. But obtaining a token is not quite difficult if other measures of authorizations aren’t strong enough (e.g. weak passwords found using dictionary), or already compromised phone number (SIM-card hacking).
That was enough to expose single user’s data.
Then there is something called Access Control. It is a mechanism for an application to decide the scope of information that can be availed to certain users. If Access Control is in place, Admin level users can view / modify data of users (who have lesser access than Admin) with tokens that are categorized as Admin Tokens.
In the Twitter hack of July 16, it was an internal Admin tool that was used to gain access to prominent accounts. An admin token might have been used to alter the accompanying email address first, followed by full-scale exploit of the tweet API. Whether the attackers got access to DMs of victims, is yet undisclosed.
What makes emails most vulnerable (to internal breaches) is the fact that they are stored in plain-text (unencrypted) in most databases.
Having secured a token, a poorly designed API can expose unintended amount of data to legitimate users, using other users’ emails as the filtration criteria.
What makes emails most vulnerable is the fact that they are stored in plain-text (unencrypted) in most databases. Against established practices of storing encrypted passwords, even veteran devs question the need for storing encrypted emails.
This is because password-like encryption is one-way, and passwords cannot be decrypted. While passwords need to be authenticated, their cryptographic hashes are compared on the server side, instead of the plain-text value.
If emails are encrypted in the same way, there is no way to approach users about updates and marketing campaigns.
Keying in your email retrieves entire account data to its viewer with admin rights. This gives enormous power to internal developers to mess with individual user accounts using emails.
There is MFA, which seems to reduce likelihood of password theft. But MFA simply delegates responsibility of security outside software department (often outside organization boundaries). When it fails due to SIM hacks, it ends up allowing internal security teams to shrug off the data breaches.
In 2016, Uber was sued for spying on its riders using its God View admin tool.
When such incidents are exposed, companies often try to wash their hands by firing developers involved. Knowing this in advance, they decide to walk free with much bigger incentive (payment by hackers)— a possibility that cannot be denied in recent hacking of Twitter.
E-mail as an identity bearer for any web service has lived up its life.
Email was used as identity tool since 90s. At that time, only privileged people had email addresses.
Today, world is flooded with spams and fake accounts. Gmails aggressive spam filtering renders several legitimate emails unreachable.
During three decades, we have also witnessed growth of mobile devices, coupled with fingerprint and face detection enabled privacy protection.
E-mail as a communication tool is vital for professional communication. E-mail as an identity bearer for any web service has lived up its life.
The Rewards/Risk Ratio For Privacy Breaches Has Never Been Better:
Data is the new oil — this phrase is already a cliche. But tech companies and governments are unable to match the pace of privacy offenders.
On the contrary, Cambridge Analytica episode proved that they are often beneficiaries in such practices.
Dark web, which amounts to 96% Internet, is getting bigger every year. Previously only known for porn, drugs, and guns, it has become the market street for talented hackers who sell data worth billions for a few grams of Marijuana.
A career is born in public — talent in privacy.
Marilyn Monroe
Marcus Hutchins, world famous 2017 WannaCry savior was a genius hacker who developed Kronos in 2014 — a malware that stole banking passwords by spoofing password fields.
Mark, and several other hackers like him, realized quite late in their careers that crime doesn’t pay in the long run like a cybersecurity career does.
The irony is, tech companies hire cyber security professionals in expert positions (one for a team of hundred), who apply boilerplate network level software on top of already developed APIs. Security isn’t ingrained into every phase of software development.
Open Source + Bug Bounties Make Developers Shrug Off The Security Responsibility:
Their vulnerabilities are out in open under GitHub Issues— begging hackers to take a look and exploit them.
In 2018, a bug injected into a very popular npm package (event stream) resulted in BTC being stolen from CoPay wallet app users. The only thing required was a keen eye on GitHub Issues and a simple version change.
OAuth, an open Internet standard created to delegate authentication to leading identity providers such as Microsoft, Google, Amazon, Twitter (and many more), was (ironically) created by Twitter.
The intention was to eliminate the need for credential (username + password) management required by every software provider. Using OAuth, their users could use readymade tokens issued by logging in through one of OpenID providers (Google, Amazon, Facebook, Twitter and many more).
Even then, creating an OAuth (later replaced by OAuth 2.0 for mobile) server has often been a complex technical challenge for many tech companies. Cloud providers like AWS, Azure and GCP, have their specialized free/paid identity management solutions. Companies like Auth0 sell their OAuth solutions on per user basis.
Most of them (and alike — OAuth or not) make their SDKs available on GitHub public repositories. They expose the security mechanisms, believing that it’s the data that needs protection, not the mechanism.
Myth: It’s the data that needs protection, not the mechanism.
It is argued that all internet standards are out in public domain, and security breaches require critical mass of computational power. However, anyone familiar with the development process can vouch that publicized code (that is not thoroughly reviewed and tested) makes creation of loopholes almost frictionless.
Developers have been known to leave secret keys on GitHub repos historically when private repo was only available to business users of GitHub — a place known for its own set of vulnerabilities.
SaaS providers upload their SDKs on GitHub to attract developers — keeping API keys behind their paywall.
In 2016, security researchers found that OAuth 2.0 hack could expose 1 Billion mobile apps to account hijacking, due to poor OAuth protocol implementation by Facebook, Google and Sina.
SaaS providers upload their SDKs on GitHub to attract developers — keeping API keys behind their paywall. Their vulnerabilities are out in open under GitHub Issues, most of them are openly overlooked — begging hackers to take a look and exploit them. Internal devs do not look on GitHub issues for long time, and often close the issues without fixing them.
In a race to acquire millions of users following lofty investor goals, boilerplate security measures are applied by the startups. When the user data acquires critical mass, all hell breaks loose.
To fix what they could not do at earlier stage, huge tech companies rely on lucrative bug bounties — publicized prized challenges — to scout exploits in their online systems. The mere existence of such bounties justify the loopholes in tech hiring that doesn’t consider ethical hacking as mainstream career — at least not in enough measures.
Millions dollar rewards attached with bug bounties only emphasize the fact that responsibility for data security lies outside the developer organization.
Unqualified creative hackers, hungry for money and fame, exploit the systems to reap cheap rewards, and often get caught. Perpetrator sharks go uncaught, and vulnerabilities are stitched with quick fixes.
Conclusion:
Predictability of the internet has lead us beyond a critical point. Only changes of the magnitudes of standards overhaul could tackle privacy breaches.
It’s dangerous when people are willing to give up their privacy.
Noam Chomsky
The responsibility for this overhaul lies with big tech companies, because they form the ocean-sized pie in the authentication systems across the world.
Only users and customers can collectively make them act. The question is, when, not how.