Research

Twitter, 17-year-olds, and the difference between a hack and a cover-up

Written by Reflare Research Team | Sep 1, 2020 5:40:00 PM

Graham was able to enter a hole in a website that should have been patched. Twitter’s architecture is based on open-source software which makes it easier to find bugs and then exploit them, to which he did exactly that.

First Published 1st September 2020 

Ask and you shall receive.

4 min read  |  Reflare Research Team

A 17-year-old recent high school graduate named Graham Ivan Clark has been charged in the recent Twitter hack.

In this briefing, we will take a look at how a 17-year-old could breach one of the biggest IT companies in the world and what this hack (and his quick arrest) tell us about hacking in general.

How the hack happened

Mr. Clark and potentially two accomplices infiltrated Twitter’s broader infrastructure to gain access to other employees. He then impersonated a Twitter employee and tricked another employee into providing their user credentials for Twitter’s administrative interface.

This is one of the oldest tricks in hacking and is a basic scenario that every security awareness training cautions against. Sharing accounts with co-workers - even if the request comes from the real person - is incredibly risky.

Once Mr. Clark gained access, he leveraged his position to take over various accounts owned by high-profile people and organizations. He then set up a basic Bitcoin transfer scam and tweeted it out through the accounts.

What does this tell us?

For one, it tells us that Twitter’s security policies are frighteningly weak. Considering that a single well-placed tweet from an official account could lead to deaths or even war, allowing single administrators without oversight to take over arbitrary accounts is reckless, to say the least. While the high volume of moderator action required by a platform like Twitter probably makes implementing a four-eyes system for access to all user accounts prohibitively expensive, it is still surprising that not even very high-profile accounts are protected by such a policy.

For another, we can deduce that Mr. Clark did not have a clear plan in place for when the hack succeeded. This is surprisingly common, especially with younger attackers. Hacking a system and monetizing that hack are very different things. The monetization usually takes a lot of preparation and time. If a hacker succeeds with a breach without having a monetization strategy in place, the results are often sloppy scams like the Bitcoin scam used by Mr. Clark and lots of traces left for investigators.

To put a figure on things, access to all of the information - including direct messages - and the ability to tweet out any message would have been worth tens or even hundreds of millions of dollars to the right buyer if it could be sustained for several months. In an age where nation-states try to influence each other’s elections with social media sabotage campaigns, sustained access to high-level Twitter accounts is invaluable. Instead, Mr. Clark was the proverbial dog that caught the car, netting only just above US$ 100,000 and being promptly arrested within the week.

Summary

Humans remain the weakest link in most IT security settings. Decades-old techniques like impersonating coworkers to get access to account credentials still work as well in 2020 as they did in the 1990s. And even large organizations struggle to implement reasonable safeguards. This allows even very young and comparatively inexperienced - if talented - attackers to occasionally pull off large-scale hacks.

The skill level of attackers is better measured by their ability to stay undetected and escape prosecution. Attacks performed by professionals usually stay undetected for weeks and months with the identity of many attackers remaining forever unknown. On the other hand, inexperienced attackers are often detected and caught in short order.