Hello. I was a twitter user in Japan. My screen name was @yanma but now the account is suspended. This is caused by the account hijacking and I’d like to share the method of the criminal to avoid increasing victims.
On March 23, 2021, my twitter account @yanma (ID: 20594817) was hijacked by someone. I had been connected the account to a third party application “bookmeter”. The login password of the “bookmeter” was not so strong and someone attacked my account at that day. It succeeded and he or she eventually could tweet anything to my account. I’ll call the hijacker “X” in the rest of this post.
In this stage, the X could only tweet to my account and could not login to my twitter account itself. I still had all of the control of the account. But the X sends some confirmation token to the @SupportRequests which is an official account of the Twitter as below.
It allowed the X to change my password and the @SupportRequests gave him or her an entire control of my account. The X finally changed everything which includes my account’s password, phone number, e-mail address, icon, and even my screen name. The hijacked account finally looked like below.
I think the behavior of the @SupportRequests was completely wrong from the security point of view. If we leave the vulnerability, we can hijack any twitter account itself once we can hijack only one of the vulnerable third party application which is connected to the target.
I reported this issue to the Twitter, Inc. again and again. They finally get my account back with Case# 0200558185 on April 8, 2021. But, unfortunately the Twitter, Inc. suspended my account again around April 17, 2021. I guess it was because the X tweeted discriminatory messages on my account many times. Sadly enough, I could not notice the message at that time because it was reply tweet and that is why it did not appear in my “tweets” view. I missed the chance to delete the awful messages.
I did report the issue to the Twitter, Inc. using “file an appeal” form many times. But currently they still suspend me and they said it was “permanent suspension”. It means I am not allowed to create new accounts. I cannot believe it but it actually happened. I guess this attack method is widely used because just googling “SupportRequests #” shows me many suspicious posts which seems to be an attack.
I hope this post helps to prevent the same kind of tragedy happens to someone. And hopefully, people inside Twitter, Inc. understand and fix the vulnerability.
Thank you.
