Twitter Hack Shows Dangers of Third-Party Access

    Even though I don’t use it as much as I should, I’m a big fan of Twitter. I like the immediacy of it, and its use as a tool to get information to the world quickly.

    At the same time, Twitter has serious flaws that have led to hacked accounts that were then taken over by bad actors. Remember a couple of years ago when the Associated Press account was hijacked and reported that the White House had been bombed and the president was injured? It caused the stock market to crash.

    The vulnerabilities of Twitter become even more urgent today as we have a president who uses Twitter as his primary communication tool and on an Android device with questionable security. That concern was driven home earlier this week when it was announced that high-profile Twitter accounts were hacked through a third-party Twitter app and, as CIO Today reported:

    During the attack, tweets featuring swastikas and Naxi references were posted to Twitter accounts for the BBC North America, Justin Bieber, the World Meteorological Organization and U.K. computer security expert Graham Cluley, among others.

    As Michael Patterson, CEO of Plixer International, told me via email comment, based on the nature of the attack, it wouldn’t be surprising if this was a state-sponsored hack meant to generate global attention that would likely not have been possible through any other method.

    The attack also showed how vulnerable sites like Twitter are to third-party apps with access to their platform. Users regularly give permission (often unwittingly) to the third-party app on download, and this gives hackers easy entry to the important stuff. As RJ Gazarek, product manager at Thycotic, told me in an email statement:

    For this takeover specifically, Twitter should take a close look at applications that can post on behalf of the user, or provide unfettered access to the account. I would look to Twitter to add some additional layers of security, so that even if an application is compromised, there isn’t a way for someone to gain complete access to an account. At the end of the day, the responsibility lands on Twitter.

    Overall, we should expect this to become the norm, Gazarek added, because we rely on connected infrastructure and applications. It just takes one application to have a vulnerability to potentially bring down the entire ship.

    While I recognize that the images involved with this particular hack were upsetting to many (myself included), the hack itself was meant to make a statement, and I don’t think (yet) cause real damage. But I think organizations need to see this as a warning. Vulnerabilities in social media sites and third-party apps accessing them can cause real damage to your brand – or, if President Trump’s Twitter account is hacked, to national security or our economy. What steps can we take? Chris Roberts, chief security architect at Acalvio, told me that the steps are easy but we are reluctant to use them: Don’t recycle passwords, use two-factor authentication, know where your data is and who has access to it, and:

    Oh, and we also need to hold vendors responsible!

    Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba

    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles