Last week, researchers from Insinia Security hijacked the Twitter accounts of a number of celebrities. But, unlike previous incidents where high profile users were hacked with the intent of defacing popular accounts or proliferating cryptocurrency scams , Insinia took control of the Twitter accounts to highlight security issues. According to an article on Medium , which the hackers linked in the affected accounts, security flaws in Twitter's SMS commands system allowed the researchers to take control fairly easily. The researchers didn't disclose how they found the phone numbers associated with certain accounts, but they called that critical step "surprisingly easy." Insinia Security highlighted this issue in March and November of this year, but they seem to hope that these celebrity hacks will motivate Twitter to decouple phone numbers from accounts. Thanks to the BBC for spotting the hack.
How it could be abused by nation states, hackers and organised crime groups: Ruin the reputations of people & organisations by retweeting offensive/extremist material, Spread fake news and disinformation via influential celebrities and journalists, Covertly like tweets so that the likes show up on feeds - again this could be used to like offensive/extremist material to ruin reputations and like fake news and/or products/services from companies to influence the general public, Send direct messages to trusted contacts in the victims network to socially engineer people into clicking links that will install advanced malware to remotely control devices and monitor the users, Tweet a link to an attacker controlled site that will silently install malware on users PC, phones or tablet with no user interaction, Direct message an attacker controlled account with content that could be used to blackmail, harass or harm the victim.
Posted byalphaatlas 8:37 AM (CST)