How Twitter CEO Jack Dorsey’s Account Was Hacked

Credit to Author: Brian Barrett| Date: Fri, 30 Aug 2019 21:56:41 +0000

Like so many Twitter attacks lately, it was a SIM swap.

Jack Dorsey’s ongoing mission to increase the civility of public discourse suffered a setback Friday, when an anonymous hacker took over his Twitter account for 20 minutes and retweeted @taytaylov3r’s claim that “nazi germany did nothing wrong.”

Twitter, as you likely know if you've spent any time there, has an ongoing, well-documented problem with Nazis, white supremacists, and other extremists. It appears taytaylov3r's account has since been suspended.

The hijacking of the company CEO's account appears to have started at around 3:45 pm Eastern time, when the @jack account fired off nearly two dozen tweets and retweets. Several of the tweets were tagged #ChucklingSquad, the name of an apparent group of hackers who have been on an account-takeover spree this week. Before Dorsey, they hit numerous influencers, including Zane Hijazi of the popular Zane and Heath podcast, and Anthony Brown, who goes by BigJigglyPanda. Chuckling Squad also appears to have compromised and posted mocking messages to the account of YouTuber Etika, who was found dead in June.

Which makes the @jack hack potentially just the latest, and most high-profile, in a string of takeovers. Twitter confirmed the incident in a tweet—in case anyone thought Dorsey was intentionally making bomb threats from his account—and said that the company was “investigating what happened.”

Some of the influencers who got hit in the last two weeks have blamed so-called SIM swap attacks, with a particular focus on AT&T. In a SIM swap, a hacker either convinces or bribes a carrier employee to switch the number associated with a SIM card to another device, at which point they can intercept any two-factor authentication codes sent by text message. (It’s hard to stop a determined SIM swapper, but at the very least you should switch from SMS two-factor to an authenticator app). AT&T did not immediately respond to an inquiry from WIRED about the spate of hacks this month, or whether the @jack incident was related.

Twitter confirmed that it was a SIM issue in a tweet Friday evening.

https://twitter.com/TwitterComms/status/1167591003143847936

One potential clue lay in the tweets themselves, which displayed as having been sent from the Cloudhopper client. Cloudhopper was a messaging infrastructure company that Twitter acquired in 2010 to better integrate its service with SMS. That’s led to some speculation that Dorsey was somehow still signed into Cloudhopper for all these years, and the hackers got a hold of that account. But that’s not quite right.

It turns out that the Twitter API marks any tweet that comes from a text message as coming from the “Cloudhopper” client. This also explains a mini-mystery from 2017, when Apple CEO Tim Cook tweeted a lone smiley face and soon deleted it with no further commentary. The tweet declared itself as having come from Cloudhopper as well; in fact, Cook had errantly sent a text to his Twitter account. That classification of SMS persists today, as demonstrated below:

It's notoriously easy to manually change what client displays with your tweets, which could have happened here. But it would certainly be the simplest explanation, and the easiest way for an interloper to fire off tweets from @jack. In the past, hacking groups have taken advantage of password reuse to compromise high-profile Twitter accounts. But by tweeting from the phone number associated with Dorsey’s Twitter account, Chuckling Squad wouldn’t have needed to know his password at all. As you can see in Twitter’s published workflow for setting up SMS tweets, at no point do you need to enter one. Texting from that phone number serves as proof of your identity. You can also retweet the most recent tweet from any given account from SMS—although all of the accounts the hackers tweeted appear to have been suspended already, so it's hard to confirm that's what happened.

What's even less clear is how Dorsey recovered his account intact, although hopefully Twitter will provide a full post mortem at some point. If and when it does, it should also consider the consequences of putting so much faith in a SIM card, whether that's what happened here or not. Otherwise, the Chuckling Squad is always going to have the last laugh.

UPDATE 8/30/19 8:25 PM EST: This story has been updated with Twitter's confirmation of the nature of the attack.

https://www.wired.com/category/security/feed/

Leave a Reply