On Friday afternoon, the 4.2 million Twitter followers of Jack Dorsey received an unpleasant surprise. A group of vandals had access to the account and used that access to blow away a stream of offensive messages and plugs for the disagreement channel of their group. Within 15 minutes the account was back under control and the group was banned from Discord, but the incident recalled the serious vulnerabilities in even the most talked-about accounts, and how unsafe telephone authentication has become.
The hackers came in via the text-to-tweet service from Twitter, managed by the acquired service Cloudhopper. With the help of Cloudhopper, Twitter users can post tweets by send text messages to a short code number, usually 40404. It's a handy trick for SimplePhones or if you don't have access to the Twitter app. The system only requires linking your phone number to your Twitter account, which most users already do for individual security reasons. As a result, control over your phone number is usually sufficient to post tweets to your account and most users have no idea.
It turned out that checking Dorsey's phone number wasn't as hard as you might think. According to a Twitter statement, a "security surveillance" by the provider allows the hackers to get control. In general, this type of attack is called SIM hacking – which essentially convinces a provider to assign the Dorsey number to a new phone that they controlled. It is not a new technique, although it is used more often to steal or Bitcoin high-quality Instagram handles. It is often as simple as connecting a leaked password. You can protect yourself by add a pin code to your courier account or registering web accounts such as Twitter via dummy telephone numbers, but those techniques can be too much to ask the average user. As a result, sim swapping has become one of the favorite techniques of online troublemakers – and as we have discovered today, it works more often than you might think.
Chuckling Squad, the crew who took over the Dorsey account, has been playing this trick for years. Their most prominent attacks to date have been a series of online influencers no fewer than ten different figures were aimed before Dorsey. They seem to have a specific trick with AT&T, which is also the carrier of Dorsey, although it is unclear how exactly they gained control. (AT&T did not respond to a request for comment.)
The history of this type of hack is much older than Chuckling Squad or even SIM swapping. Any system that makes it easier for a user to tweet also makes it easier for a hacker to take control of the account. In 2016, Dorsey became the target of a similar attack using authorized third-party plug-ins, which were often abandoned but still retained the permission to send tweets to the account. That technique has become less prominent as SIM exchange techniques are more widely understood, but the basic goals of drive-by vandalism have largely remained unchanged.
Yet the incident is shameful for Twitter, and not just because of the immediate struggle to regain control of the CEO's account. The security world has been aware of attacks by SIM swaps for years and the Dorsey account had already been destroyed. The simple failure to secure control over the CEO's account is a major failure for the company, with consequences that go well beyond a few minutes of chaos. Hopefully, Twitter will learn from the incident and prioritize stronger security – maybe even Twitter verification moving SMS – but given the company's track record, I doubt that many people will hold their breath.