The frighteningly simple technique behind Jack Dorsey's Twitter account hack
3.9.2019
Translation: machine translated
CEO Jack Dorsey's Twitter account was in unauthorised hands for 15 minutes. Unauthorised persons gained access with the help of SIM swapping. You can read why Twitter is so vulnerable to this hack here.
Chuckling Squad, as the group responsible calls itself, published anti-Semitic messages and a link to its Discord channel in the name of the Twitter CEO. A short time later, the glitch was fixed and the tweets removed. This incident shows that even the head of a large social media company is not protected from unauthorised access. But how could something like this happen in the first place?
Cloudhopper: both a blessing and a curse
The hackers gained access via a text-to-tweet service: Cloudhopper - the name of the company behind the service - allows Twitter users to send their tweets as text messages to a short number and publish their 280 characters in this way. A useful feature for all those who don't have a smartphone or can't access the Twitter app or site.
All you need to do is link your mobile number to your Twitter account. Many users already have this link for security reasons - how ironic. So all a hacker needs is control of your phone number and you don't even realise that someone is tweeting in your name.
Update from 05/09/19: Twitter has temporarily disabled the text-to-tweet function
.
(Not) a bug in the system
Gaining control of a phone number sounds difficult. Basically yes, but not impossible, as the Dorsey case shows. According to a tweet - irony number two - the Chuckling Squad gained access to the Twitter CEO's number due to a (human) error at the mobile phone provider.
Although the mobile phone provider spoke of an oversight, this tactic is not new. Also known as SIM hacking, strangers gain control of your phone number by convincing your provider to overwrite your phone number onto a new SIM card. Of course, they believe this is in your best interest. Hence the term "oversight".
Too easy to be safe?
Normally, this technique is used for Bitcoin or Instagram profile thefts. In most cases, a leaked password is all the online criminals need to take control. With a PIN from your mobile phone provider, you can also protect yourself against such criminal activities. You can also make your account more secure by using a virtual, artificial identity - but this requires more than just the basic technical knowledge that the average mobile phone user has.
It is precisely because of the relative simplicity of this attack - hackers are certainly not average users - that SIM swapping is so popular with cybercriminals. And, as the Dorsey case shows, with success.
It's a good thing nobody knows...
The girls and boys at Chuckling Squad have been pulling this stunt for several years. Dozens of Insta influencers and YouTube celebrities have already had to believe it. Whether it's disturbing images or racist quotes - the online thugs will stop at nothing. And they don't even hide, on the contrary. Each time they mention their name in the hacked accounts, be it via hashtags or in live streams. As with Dorsey, they also try to persuade people who take a liking to their actions to join their Discord servers or follow them on Twitter.
Aqua, the leader of this shady online gang, and his like-minded friends seem to have taken a particular liking to AT&T in the USA - incidentally, this is also the supplier of the Twitter CEO. It is still unclear why the hackers at AT&T so often succeed in gaining control over other people's telephone numbers. So far, the American conglomerate has not been asked to make a statement in front of the microphone.
The old familiar repackaged
The Dorsey hack or SIM swapping procedure has been around much longer than the Chuckling Squad itself. After all, any system that makes it easier for the user to create and send a tweet automatically makes it easier for any online villain to take over the user's account without authorisation.
Three years ago, Dorsey was the victim of an online attack. Back then, hackers sent indecent tweets in the name of the Twitter CEO via authorised third-party plugins that were no longer used but still had access to the account. When SIM swapping technology experienced a boom and such plugins were no longer needed, the hackers also switched over.
Twitter, quo vadis?
Okay, SIM swapping and the like are nothing new. Nor is this the first time Jack Dorsey has fallen into a hacker trap. And yet the question formulated at the beginning still remains: How could this happen?
Of course, the incident is embarrassing for Twitter. But the embarrassment of this faux pas can hardly be compared to leftover food in a gap tooth or stains on a tie. It is a serious digital - and well-known - security vulnerability. Not only experts, but also laypeople have been aware of the possibilities and dangers of SIM swapping for almost a decade.
This incident shows a great deal of ignorance on the part of Twitter and its managers. The social media giant is also guilty of a lack of insight when it comes to the security and privacy of user accounts. Has Twitter got a bit old?
Let's hope that this incident will finally teach Twitter a lesson and that the company with the bird will distance itself from SMS verification.
Header image: Dark clouds on the Twitter horizon - what about account security? Source: THE BUSINESS TIMES
Raphael Knecht
Senior Editor
raphael.knecht@digitecgalaxus.chWhen I'm not stuffing my face with sweets, you'll catch me running around in the gym hall. I’m a passionate floorball player and coach. On rainy days, I tinker with my homebuilt PCs, robots or other gadgets. Music is always my trusted companion. I also enjoy tackling hilly terrain on my road bike and criss-crossing the country on my cross-country skis.
