Twitter Hack Shows Dangers of Third-Party Access

Sue Marquette Poremba

Even though I don’t use it as much as I should, I’m a big fan of Twitter. I like the immediacy of it, and its use as a tool to get information to the world quickly.

At the same time, Twitter has serious flaws that have led to hacked accounts that were then taken over by bad actors. Remember a couple of years ago when the Associated Press account was hijacked and reported that the White House had been bombed and the president was injured? It caused the stock market to crash.

The vulnerabilities of Twitter become even more urgent today as we have a president who uses Twitter as his primary communication tool and on an Android device with questionable security. That concern was driven home earlier this week when it was announced that high-profile Twitter accounts were hacked through a third-party Twitter app and, as CIO Today reported:

During the attack, tweets featuring swastikas and Naxi references were posted to Twitter accounts for the BBC North America, Justin Bieber, the World Meteorological Organization and U.K. computer security expert Graham Cluley, among others.


As Michael Patterson, CEO of Plixer International, told me via email comment, based on the nature of the attack, it wouldn’t be surprising if this was a state-sponsored hack meant to generate global attention that would likely not have been possible through any other method.

The attack also showed how vulnerable sites like Twitter are to third-party apps with access to their platform. Users regularly give permission (often unwittingly) to the third-party app on download, and this gives hackers easy entry to the important stuff. As RJ Gazarek, product manager at Thycotic, told me in an email statement:

For this takeover specifically, Twitter should take a close look at applications that can post on behalf of the user, or provide unfettered access to the account. I would look to Twitter to add some additional layers of security, so that even if an application is compromised, there isn’t a way for someone to gain complete access to an account. At the end of the day, the responsibility lands on Twitter.

Overall, we should expect this to become the norm, Gazarek added, because we rely on connected infrastructure and applications. It just takes one application to have a vulnerability to potentially bring down the entire ship.

While I recognize that the images involved with this particular hack were upsetting to many (myself included), the hack itself was meant to make a statement, and I don’t think (yet) cause real damage. But I think organizations need to see this as a warning. Vulnerabilities in social media sites and third-party apps accessing them can cause real damage to your brand – or, if President Trump’s Twitter account is hacked, to national security or our economy. What steps can we take? Chris Roberts, chief security architect at Acalvio, told me that the steps are easy but we are reluctant to use them: Don’t recycle passwords, use two-factor authentication, know where your data is and who has access to it, and:

Oh, and we also need to hold vendors responsible!

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 



Add Comment      Leave a comment on this blog post
Mar 17, 2017 1:57 AM Avital Avital  says:
I invite you to have a look at http://sourcedefense.com/ There is finally a good solution websites can implement to avoid such issues. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.