A debate over how far you can go to raise awareness of vulnerabilities reignited yesterday after Insinia Security hijacked celebrity twitter accounts.
In the arguments over whether this can be justified, I’m torn between which side of the fence I sit on. Like me, I’m sure you don’t expect reputable security firms to act like cyber criminals, even if you do expect them to have the same knowledge, skills and insight.
Insinia sent tweets from accounts that did not belong to them. These included a tweet to say the account had been hijacked along with a retweet of a blog post explaining how this was possible.
In doing this they didn’t:
- access data belonging to the account
- lock the real account holder out
- post anything controversial.
Instead, they raised awareness that an account was vulnerable. Surely there’s no harm in that?
But there is. People get uncomfortable when professional firms involve themselves in anything other than ethical hacking. Here’s a quick definition:
An ethical hacker is an individual who is trusted to attempt to penetrate an organisation’s networks and/or computer systems using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner.It Governance Ltd
Put simply, the difference between hacking and ethical hacking is permission. Ethics aside, hijacking the accounts without permission is enough to argue they broke the law. Couple that with an an approach that appears more like a publicity stunt than good practice, it brings their professionalism and the profession into disrepute.
None of this changes the fact that the vulnerability they found is real, damaging and so easy to exploit that all it takes is a text message.
Feature or security flaw?
Text messages were at the heart of Twitter’s early development and one of the reasons the original length for a tweet was limited to 140 characters. The creators envisaged that people would more likely to find valuable uses for Twitter on their mobile phone than a computer. The proliferation of smartphones, faster mobile internet and apps gave us the Twitter we are familiar with today but hidden away under the bonnet is this original text message functionality.
It is this forgotten feature that the security team at Insinia exploited to post tweets from celebrity accounts by sending text messages to Twitter with spoofed sender numbers. Number spoofing is a relatively simple process and within the grasp of anyone with a few minutes to learn how or who can find an online service to do it for them.
As the text message appears to be sent from the telephone attached to the account, Twitter assumes it is legitimate and posts the tweet. In the same way, an attacker can follow, unfollow, retweet and direct message other users from that account.
Why I’m on the fence
I can’t disagree with Insinia that Twitter should have fixed this vulnerability long ago. Outside of the US, Twitter did offer some protection by requiring you to add a passcode to your text message, but obviously this wasn’t the default setting – or Insinia’s hack would never have worked.
They have a point that Twitter should not automatically enable this feature when people add a mobile telephone number. When you need to add a telephone number to activate account security like login notifications, the last thing you expect is to be exposed to bigger problems elsewhere.
Imagine the consequences for a public figure if a controversial tweet was sent from their account. Think how quick we can be to dismiss the old ‘my account was hacked’ excuse when someone gets themselves into trouble. What if it happened to colleague, a partner or you?
To that extent, I’m glad Insinia did what they did. But not how they did it.
It’s never ethical to hack without permission and worse still to do so as a publicity stunt. Nonetheless, if Twitter were to go down the road of legal action against Insinia [which is their right] then I’d think a little less of them as result.