On Friday afternoon, the 4.2 million Twitter followers of Jack Dorsey experienced an unpleasant surprise. A group of vandals had access to the account and used that access to send out a stream of offensive messages and plug-ins for their group's discord channel. Within 15 minutes, the account was back in control and the group was excluded from Discord. The incident, however, reminded of the serious security holes in even the most popular accounts and how insecure phone-based authentication has become.
The hackers boarded Twitter's text-to-tweet service powered by the acquired Cloudhopper service. Using Cloudhopper, Twitter users can post tweets by sending SMS messages to a speed dial number, usually 40404. This is a useful trick for SimplePhones or if you just do not have access to the Twitter app. The system only requires linking your phone number to your Twitter account, which most users already do for different security reasons. As a result, controlling your phone number is usually enough to post tweets to your account, and most users have no idea.
It was not that hard to get control of Dorsey's phone number, as you might think. According to a Twitter statement the hackers have gained control through a "security oversight" of the provider. In general, this type of attack is called SIM hacking. In doing so, a network operator is essentially convinced to assign the Dorsey number to a new phone that it controls. It is not a new technique, although it is often used to steal Bitcoin or high quality Instagram handles. Often it is as easy as plugging in a leaked password. You can protect yourself by adding a PIN code to your network operator account or registering web accounts such as Twitter with dummy phone numbers. However, these techniques may be too extensive to ask the average user. As a result, sharing SIM cards has become one of the most popular techniques of online troublemakers – and as we found out today, it works more often than you think.
Chuckling Squad, the crew who took over Dorsey's account, has played this trick for years. Her most famous attacks to date have been a series of online influencers targeting up to ten different characters before Dorsey. They seem to have a special trick with AT & T, which is also Dorsey's haulage company, though it is not known exactly how they gained control. (AT & T has not responded to a request for comments.)
The history of this type of hack is much older than Chuckling Squad or even SIM swapping. Any system that makes it easier for a user to tweet also makes it easier for a hacker to take control of the account. In 2016, Dorsey was struck by a similar attack that exploited third-party authorized plug-ins that were frequently abandoned but still retain the right to send tweets to the account. This technique has become less important as SIM exchange techniques have become more widely understood, but the basic goals of drive-by vandalism have remained largely unchanged.
Still, the incident is embarrassing for Twitter, and not just because of the immediate confusion of regaining control of the CEO's account. The security world has been aware of the attacks on swapping SIM cards for years, and Dorsey's account has been devastated before. The simple failure to ensure control of the CEO's account is a serious mistake for the company that goes well beyond a few minutes of chaos. Hopefully, Twitter learns from the incident and prioritizes greater security – perhaps even texting Twitter's message will be pushed away – but given the company's track record, I doubt many people will hold their breath.