As you have probably heard by now, Twitter CEO Jack Dorsey’s account (@jack, 4.2 million followers) started spewing some tweets on Friday night that were out of character even for him.
For about 15 minutes the account tweeted racist and offensive remarks, and even at one point what appeared to be a bomb threat.
It was pretty obvious that these weren’t messages being genuinely tweeted by Twitter’s oddball co-founder, and theories spread like wildfire that his account had been hacked.
I joined in with the speculation late on Friday night, proposing possible explanations such as a lack of two-factor authentication, or a reused password, but leaning more towards a third-party app connected to the Twitter boss’s account having been hijacked.
Four years ago Twitter’s CFO has his account breached. He wasn’t using 2FA. https://t.co/BAszeVjHJ5 I find it hard to think Twitter’s security team would let @jack make the same mistake. My hunch would be third party app compromised, but we will see.
— Graham Cluley (@gcluley) August 30, 2019
I couldn’t see the funny side in Jack Dorsey’s misfortune, having myself suffered when a third-party app I had linked to my account started tweeting unauthorised messages a few years ago.
And when close examination of the offending tweets from the Twitter CEO’s account revealed they had been posted through a service called “Cloudhopper” that seemed to suggest something similar had happened.
So, what is Cloudhopper and had it been compromised?
Cloudhopper is a service that facilitates tweeting via SMS text messages, and was acquired by Twitter back in 2010. If you have configured your Twitter account to allow it, it’s possible to just send a text message to update your Twitter status rather than use a smartphone app, laptop or desktop connection.
That’s fine, I suppose, with a couple of caveats.
Firstly, you need to be careful to only send SMS messages to Twitter that you wish to become public.
It’s surprisingly easy to send a text message that you believe to be private to the wrong number, as then White House press secretary Sean Spicer found out in January 2017 when he tweeted something that appeared to be a password via Cloudhopper.
Secondly, if Twitter is going to accept SMS messages from your mobile phone number and automatically broadcast them to the world, you had better be feeling darn confident that no-one else is going to gain access to your phone – or seize control of your mobile number.
As Twitter’s communications team explained the following day, it seems that’s precisely how the unauthorised parties managed to post the offensive messages to @jack’s account:
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.
In short, it sounds like Jack Dorsey’s Twitter problems were caused by his mobile phone number being seized in a SIM swap attack (also sometimes called a Port Out scam), where his mobile phone provider were tricked by fraudsters into giving them control of someone else’s number.
So – if we are to believe Twitter’s explanation – the reason for the “@jack hijack” was not because Twitter’s CEO had failed to follow best practices for passwords, or been phished, or failed to have two-factor authentication in place, or even because he had a compromised app connected to his account – but instead that he no longer was in control of his own phone number.
That’s a problem not only because of unauthorised tweets, but also because of the surprising range of other things you can do via SMS with Twitter.
You can’t really blame the affected Twitter user for this incident – it’s a problem at the mobile phone operator’s end.
Well, maybe you can partly blame the affected Twitter user on this occasion. After all, he’s the boss of Twitter. He can get things changed if he wants to.
Although I’m sure there are some users in some parts of the world who appreciate being able to update Twitter via SMS, I’m not convinced that it is a feature that most Twitter users have a need for. I think it would be a sensible step for Twitter to disable SMS tweeting functionality by default, forcing users to manually enable it if they really want the feature.
It seems to me that another sensible step would be for those who do wish to tweet via SMS to be required to add a PIN to their text message as an additional form of identification. That would certainly be another hurdle for fraudsters and scammers to overcome.
You can listen to more about the hack of Jack Dorsey’s Twitter account, and SIM swap fraud, in this episode of the “Smashing Security” podcast:
Update: Well, what do you know… Twitter disables tweeting via SMS (temporarily at least), in wake of Jack Dorsey account hijack