Twitter leaks were bad but worse may be yet to come, says expert

The revelation that the data of 5.4 million Twitter users is for sale on the dark web might have come as a shock to many, but that could just be the tip of the iceberg.

A threat actor advertised the Twitter handles last month, thought to have been obtained thanks to a breach that the social media platform says it patched way back in January after being alerted to it by a HackerOne platform user.

But with so many app providers failing to offer industry-standard authentication, not to mention a glut in software-as-a-service (SaaS) apps on the market prompted by the COVID crisis, the cybersecurity industry could be in for a rocky ride over the next few years.

Matt Chiodi, Chief Trust Officer at secure identification provider CERBY, reckons that what he calls the “long tail” of “unmanageable apps” could be the makings of one big headache for security-conscious employers and employees in the near-to-mid future.

Just over half of respondents want their IT department to "get out of the way" and let them use them use the tech they feel comfortable with to do their jobs.

CERBY survey of 500 businesspeople in the UK and US

A report commissioned by his firm found that 92% of respondents – 500 businesspeople in the UK and US across a range of industries – want full control over the apps that they use at work. Three in five said that having a favored app blocked or banned by their employer – even if the latter had valid cybersecurity reasons for doing so – negatively impacted the way they felt about their organization.

Just over half of respondents were even blunter, saying that they just wanted their IT department to “get out of the way” and let them use the tech they felt most comfortable with to do their jobs.

Chiodi feels this has been driven by the pandemic, which forced staff to work remotely and find ways to stay productive at home. This, he says, they have done: but at the expense of good cyber hygiene, as they have come to depend on apps that are at risk of being hijacked by cybercriminals.

Cybernews sat down with Chiodi to discuss in further detail what the recent Twitter leak could mean for entities of all sizes, from the multinational down to the individual user.

Did the recent Twitter dark web leak surprise you?

This is an interesting one. I would say this was probably one of the largest violations of user privacy on a social platform in recent history. While technically the vulnerability was limited to the Android client, it still allowed access to every Twitter user. The report shows that there are over 5.4 million Twitter accounts now up for sale on the dark web, but we have to assume that many more users were potentially enumerated. I think what's important to remember about this vulnerability is that it required no authentication. You didn't have to put in a username, password, nothing – all you had to do was supply a phone number or email address.

The reason I think this is really critical is it completely violated user anonymity. So if you sign up with a generic Twitter ID, maybe you've got a really strong political opinion on something. You're like: “I don't want to put it in my name, so I'm going to create this really cool Twitter ID.” But you tied it to your personal phone number or email, and then you posted all kinds of controversial stuff? You can now potentially be outed from this. Because as long as I know either your phone number, or if I find an email address, all I have to do is follow this vulnerability, and I could find all the Twitter accounts that were associated with it. Now to Twitter's credit, they very quickly fixed this vulnerability. It was disclosed January 1, by the 6th they had triaged it, and by the 13th they had fixed it. So about twelve days from reporting to closing. That's a quick response – but still...

It wasn't quick enough?

No, it wasn't. Here's the thing people often forget: this individual disclosed it to them on January 1, but we don't know how long it was available prior to that. Somebody, nation-states, could have known about this for months and been [data] mining. This is just when it was disclosed via HackerOne.

So you think far more than just 5.4 million users might have been affected - could we be talking about tens of millions?

Twitter has about 230 million monthly active users – those are people who are on the platform all the time. The gating factor with this vulnerability is you'd still have to know someone's phone number or an email address – that's the only reason I think it's probably not in the hundreds of millions. More than likely, Twitter has protections in place that would have slowed things down. But I'm going to guess yes, it's probably in the tens of millions.

That's interesting because while you would indeed need a phone number or email, such data is often harvested nowadays anyway…

Exactly. Email breaches, you can buy these lists for dollars. Email addresses are public information.

And often, they can be guessed as well, if they are common enough...


Where do you see this in terms of the future for social media companies? There was a time when nobody could have envisioned smoking being banned in public places: you go back to the 1970s, we had known it was bad for us since the 1950s, but even then, it didn't seem as though we were ever going to get to where we are today… If we keep hearing about poor cyber hygiene, could we start to see real restrictions imposed on social media as a result of incidents like this?

Certainly, when there are events that are this large, it catches the attention of lawmakers around the globe. But you have to remember that vulnerabilities like this happen all the time. It's just the fact that we are talking about a platform with over 200 million monthly active users. Let's look more broadly across the industry. This attack method has been used before. In November 2020, Palo Alto Networks’ Unit 42 threat research group found a similar attack pattern that existed in Amazon web services' APIs [application protocol interfaces, which enable machines to 'talk’ to each other]. So I would say that although I believe that things like this will cause lawmakers to want to put regulations in place, it is doubtful that they would have a massive effect on these types of specific vulnerabilities.

"Although lawmakers want to put regulations in place, it is doubtful they would have a massive effect on these types of vulnerabilities."

Matt Chiodi, Chief Trust Officer at CERBY

Typically what I see in terms of social media risks, in general, is more of the basic things: if you look at any of the large platforms, none of them offer what I call enterprise-grade authentication. What I mean by that is almost every business at this point uses social media as part of their marketing, PR, and brand strategy. So if you have a multinational company, they could literally have hundreds of different social media accounts for their various brands. Because none of these platforms offer enterprise-grade authentication, they have to share the passwords for these social accounts. They don't support single sign-on. So they might have invested millions of dollars into an identity platform like Okta or Azure ID – but you can't use them across any of these social platforms in the enterprise.

These apps are what I call unmanageable applications because in the enterprise especially, they are outside the control and scope of IT and security. And it's not just social media providers: if we look at the whole world of SaaS apps that are popping up every day, the vast majority also do not offer enterprise-grade authentication. Business users are using these apps on a daily basis and putting sensitive data on them.

I've spoken to people about passwordless technology using behavioral authentication. In all cases, they talk about enterprise clients being the first port of call, but they seem to think that within a few years, we will see much wider uptake – would you include social media platforms in that, or will they use the power they wield to resist that shift?

Remember that what makes these platforms powerful is the network effect. To your question around a passwordless future, we are certainly going that way. Look at what the FIDO alliance is doing: there has been recent news, I think, of Apple and Google moving towards that. Certainly, that will have a trickle-down effect. However, that long tail of SaaS applications, where someone is a startup and just getting things off the ground, they're not going to offer that. That is where you're not likely to see the adoption of passwordless for probably 5-10 years.

And here's why: the users of those platforms aren't typically IT and security, they're marketing and finance teams, and quite frankly they don't care about that capability. They're using that platform because it helps them in their daily job. What we found was that the majority of employees want to be able to choose the apps that they use to get their work done, and 52% said they just want IT and security to get out of the way. So that's what's driving it – if you are a startup and you have a product that's a SaaS, you're trying to deliver the features that the users want. If your users aren't asking you for passwordless, for enterprise grade, it may never happen.

Is this why we may need state intervention to make this kind of security feature a legal requirement? Because if you leave it up to market dynamics, as you've just pointed out, it's less likely to occur...

That's right. I've been in cybersecurity for over 20 years, and it's very pervasive in the industry that we want to blame the end users like it's their problem. It's not really. They shouldn't have to care about security. I speak with a lot of non-IT-and-security professionals, and they do care about it, they really do. Even my parents – completely non-technical – generally know not to click on links in emails.

So bringing it back to the enterprise users, applications have become intimately tied to how people are getting their work done and their level of job satisfaction. This really shifted in the last two years with COVID: remote working, it changed that psyche. This is what we teased out in our report – is this just temporary [or] is this something people have come to expect? Everybody said you have to go home and stay productive – do whatever you have to do. They took that literally and started using these different SaaS apps. They got the functionality they needed, and people don't want to change. They've been able to be productive again with this group of apps that I call unmanageable. Enterprises are going to have to figure out how to secure these applications when they don't support common standards.

"It's very pervasive in the industry to blame the end users like it's their problem. It's not really. They shouldn't have to care about security."

Matt Chiodi, Chief Trust Officer at CERBY

It's tricky, isn't it, because on the one hand, you want small businesses that are dynamic. You don't want things to be locked up by monolithic multinationals or states, but it's hard to see how you can reconcile the need to police the security of startups with their need to be creative…

Standards are one way to do that, like SOC2 [data auditing] third-party attestation. But Twitter probably does have a standard – and it doesn't guarantee that things like this aren't going to pop up. There has been a lot of talk in the industry, for a good reason, around zero trust. This vulnerability is a perfect violation of zero trust, where it basically said: “If you have a phone number or email address, then I trust you to give you back this Twitter handle.” If they had taken a zero-trust approach when they were designing that API, it wouldn't have happened.

I presume Twitter set this down many years ago when we didn't have that amount of data harvested, whereas now it’s a serious issue if I just need an email address to mimic someone's Twitter account. These methods are obsolete, aren't they? Social media companies might be huge, but they're lagging behind the times...

They're lagging behind from an enterprise-grade authentication perspective in terms of what they're offering. These platforms have a massive amount of what I would call data gravity: they should be held to a higher standard because of the amount of data that they have. But if there was some kind of security standard in place, would that eliminate everything? No. Zero trust for all the right reasons has been a buzz, but clearly, even if you are a highly innovative Saas company like Twitter, you can't buy a security product and get zero trust.

This goes fundamentally into how you have designed things, and these platforms are massively complex. So even if they were like: “Hey, we're going to put zero trust into everything,” it would likely take years for Twitter or Facebook to institute it into their APIs.

What would you advocate both for the end user and decision-makers in startups and bigger platforms?

Let's start with a Twitter user. Number one is you have to assume that any email you get from Twitter or LinkedIn is a scam. While Twitter suffered specifically with this vulnerability, LinkedIn is the most phished platform. So users should just assume that if an email comes in from any one of those, that it's phishing and don't click on the links. What I typically recommend is that your social media accounts should not be tied to your personal email address: you should have a separate address that is just for your social accounts.

Same thing with the phone number – I encourage people to get a VOIP [voice over internet protocol] number and use that as the one that's registered to your accounts. Again, the reason being it helps to anonymize it. So let's say that your Twitter account is tied to a separate email and phone number, that you get phished – [the threat actors] are going to be limited to what's in that email address. And if you're only using that for your social stuff, you've limited that blast radius greatly.

"You have to assume that any email you get from Twitter or LinkedIn is a scam. While Twitter suffered specifically with this vulnerability, LinkedIn is the most phished platform."

Matt Chiodi, Chief Trust Officer at CERBY

If you want to go to the next level of maybe being a little more paranoid, you could create a separate email address and phone number for every different social account. That's a little bit more difficult.

For organizations and enterprises, that recommendation still applies. But obviously, when you're a brand and managing dozens or hundreds of accounts, doing that manually is extremely painful. There are platforms where I work that automatically handle all of that, the provisioning, the automation of the email addresses. We tie those unmanageable applications back into enterprise identity providers, so we get rid of that enterprise-grade authentication problem. If organizations, for instance, want to go passwordless but maybe a downstream SaaS app doesn't support it, we support that automatically. If they're using an Okta or Azure ID and they want to go passwordless on the front end, we'll manage the passwords on the back end. The user never has to see the password.

So this can be slotted into the end user's use of a SaaS startup for better security?

Absolutely. That was the reason our founders started CERBY. They looked at the massive amounts of SaaS apps being created on a weekly basis, and the percentage of them being supported by Okta or Azure was very small. With the Cloud in place, you could probably launch a new app within a couple of weeks, and there's no requirement in place that says you have to have any kind of enterprise-grade authentication. This is a multi-billion dollar problem; this is not a small issue.

So do you think the market can correct this problem on its own without state intervention? Will we see a time when apps come on to the market working hand in hand with providers to offer up-to-date security?

I think that it will happen, but it's going to take time – it's not going to happen in the next three years, I can almost guarantee you that.

Do you have any other useful tips for our readers about how to manage apps and social media accounts safely?

Inventory and deactivate accounts. Maybe you created a Twitter account, and you don't use it? Close it. Don't leave it out there. That’s a very easy, low-cost thing a business or a user can do.

Go into your different social media accounts and review what third-party applications you granted access to. So let's say, for example, you use Gmail. At times you want to use a Chrome plugin, it'll say: “Hey, to use this, you need to grant access to your Gmail account.” A lot of people do that with their social accounts, and what they don't realize is once you've granted that third-party access to your account, that access stays until you delete it. If that third-party provider gets hacked, that's a pathway right into your account.

Last but not least, review access frequently. This has more to do with enterprise users of social platforms because none of them support enterprise-grade authentication, and a lot of companies use a third-party agency to manage their social accounts – so now you've got to share it with them too. Somebody leaves the agency, that [former] employee still has the password.

More from Cybernews:

"Issue is out of control": 24 billion passwords leaked on the dark web

Tech startup CTO: nobody likes passwords

Are passwords obsolete?

Are passwords still fit for purpose?

Our password habits are awful – and driven by websites’ bad policies

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked