Password Leak Analysis
This is the tale of how I got locked out of my Twitter Account. During the digital journey of me trying to get it back, I discovered important safety rules when dealing with Twitter, how their system has security gaps leading to the lockout being useless and how Twitter manages to keep their user numbers growing. So here’s an account of how the little blue bird goes about doing things.
It’s my lunchbreak. Everything is awesome. I eat my food, sit down at my computer and I think to myself “Man, I should really tweet something.” Now, my usual modus operandi is to go on Twitter and find either a funny picture of something or tweet nonsense such as the names of racehorses or the punchlines of jokes that lack any and all context. I have no idea why, but people apparently like to read this stuff. We live in strange times.
Thus, off to Twitter I am. But instead of my usual screen where I can tweet things and see what the people I’m following are up to, I get a message that tells me that someone else might be using my profile. There’s a brief moment of panic in which I wonder what ramifications it might have that my Twitter’s been compromised. None, I realize. Because I have taken, way back in the day, some precautions. These are recommendations
So for any kind of hacker or whatnot, there is nothing to be gained by taking over my account. I mean, content-wise, it could only be an improvement seeing as the only thing he or she could do was to start making sense. This – while detrimental to my previous concept of tweeting – would be a massive improvement when it comes to content if anything.
Still, I’ve grown attached to my account so I decide to try my luck with Twitter’s account recovery tool. It looks simple enough, really. Two fields. One’s for either an e-mail address or a phone number, the other is for your username. Now, my e-mail address is one that I haven’t used in years and it’s expired. So the only way I could get my account back as it stands now is to enter my phone number. Long ago, I’ve made it a policy that my phone number has no business being anywhere on the internet. Is that a naïve approach? Absolutely, because I have Twitter synched to my phone. Just like my Facebook has been synched to my phone. As has my Google+-account.
In theory, a lockout is basically something that completely freezes your account. Until you confirmed that you’re the account’s rightful owner and deliver proof of that, nobody can access your account, not even you. This is done so that nobody can meddle with it. In case of Twitter, that would very probably be something to the extent of the attacker tweeting horrible things and getting your account banned. This, while essentially being completely meaningless when applied to the larger goings-on of everyday life and the future of the human race, can result in a massive image-problem. You could lose followers and credibility. This is important in today’s world.
So it would make perfect sense for Twitter to actually block your account, right? Well, they don’t. If you use your desktop computer to navigate to www.twitter.com, you will find a screen that tells you that your account has been locked. That’s cool. All you need to do is confirm that your account is yours by providing a phone number or an e-mail address. More on that in a bit, we’re now talking basic security here and up until now, this seems to be pretty secure, all in all.
I got locked out of my Twitter account about three weeks ago. To this day, I can still post Twitter updates from my phone. So why is this?
This is due to an
oauth token that is still valid. Because Twitter uses OAuth to enable other applications to perform certain actions on an otherwise protected account. In case of Twitter, this means that the Twitter Application on my phone is allowed to read my Twitter feed, tweet on my behalf and do a variety of other functions. So while this token is still in effect, I can still access my account and do whatever using my mobile device.
Gaining unauthorized access to a phone is much, much easier than gaining unauthorized access to a computer. Or to do a really, really simple exercise in figuring out how much of a flaw this is: How often have you heard someone tell you either “My phone got stolen” or “I lost my phone” as opposed to “My computer got stolen” and “I lost my computer”? So when you factor basic human behaviour into the whole process of security – which I would claim is essential when you’re running a business like Twitter – then this lockout is shockingly ineffective.
So I go check on Twitter’s info-page about OAuth where it states
We do not currently expire access tokens. Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application.
So basically, if I manage to have a valid token that is years old in some cases, then I can continue to tweet on a regular basis despite any and all lockouts that may or may not be enforced.
Of course, I want to know just how big that hole is. And luckily, we have plenty of Smart Devices here to test stuff on. So I grab one of our iPhones and install Twitter on it. I wonder if I can bypass the lockout by obtaining another OAuth token on another device.
But even after trying many variations of my username, with @-sign, without it, using the expired mail-address… nothing. A locked account will not get a new token from what I can tell. Were I able to forge said token, then I could access my Twitter account from any device, long after the lockout.
But, I’ll readily admit, this is quite a lot of work compared to all other means of accessing my account again. Besides, it doesn’t really provide a decent attack vector for anyone as it requires an attacker to know my login credentials. And if the attacker knew those, then there would be no reason to enforce a lockout, get another device, forge a token, access my account and change the password to hijack my account for good.
So I try to recover my account, because I would very much like to continue to post punchlines of jokes as well as the names of racehorses. I don’t even remember how I came up with that concept. I blame Alan Partridge. It is here that I run into a first problem: The mail-address I used to sign up to Twitter belonged to a domain I have owned once upon a time but have let expire. So my only option was to give Twitter my phone number, which is something I really do not want to do.
Luckily, the internet has come up with something quite ingenious. Websites that provide mobile phone numbers are a thing, apparently. However, it is not clear who runs these sites and what exactly is done with the received text messages. But the services are used often and this seems to be a useful service. Only that in case of Twitter, you need to have told them your phone number before you got locked out. Thus, I have no chance but to give up on my punchline-and-racehorses account.
There is one last method that I can try. It’s the part where you contact Twitter’s support team, but that will take days to get through and you need to enter your e-mail address to get your account back. So this really is the end for my old handle.
On to registering a new account, then. Sure, I’ll lose my followers and all my tweets are all lost. Oh well, there you go, you meaningless internet-points. And I expect there to be your regular login form. Choose a nickname, enter real name, enter mail address, enter phone number (optional), enter birthday, enter all sorts of other things that – correlated with your posting history and clever marketing – will end up being advertising revenue for Twitter. But I was wrong. All Twitter wants to know in a first step is your full name, a mail address and a password. The rest is pretty much done by the service. The only thing you might have to do is pick your handle. And, of course, you need to validate your e-mail address which can also be done anonymously.
It’s obvious why this is done. This keeps the number of users high and growing. According to Twitter, the company has 255 million users. The numbers are subject of debate as Twitter does not release them on a regular basis. Other sites speak of 645 million users and 135 000 new users per day. This sounds sort of unrealistic, but it’s at least somewhat likely. Because, doing the math, I figure out that at the current rate, it will take 149.26 years until everyone on Earth has a Twitter account, assuming that about 8 billion people currently inhabit our planet. But the people who get second accounts obviously make that number slightly larger, which sounds like more potential to the advertising people.
Twitter is not consequent when it comes to their handling of OAuth tokens, which are mandatory for all mobile applications. This may prove to be a security risk, even if it is a pretty unlikely scenario, especially when making new accounts is shockingly easy. Also, Twitter is intent on keeping user numbers as well as numbers of new sign-ups high so that they may make more profit off of it.
And my old Twitter account? Well that one will remain active on my phone. Until my phone goes kaput.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here