Bug report: major security hole in Twitter


#1

Hi all,

I’d like to report a major security hole that I have identified and documented within Twitter.

Developers and execs: breathe easy; it’s not an exploit or a bug in the traditional sense. But please don your thinking caps and keep reading, as below I will describe a serious security hole that has led to the theft of several major Twitter accounts from their legitimate owners over the past few years. Users who have been directly affected have lost critical data and access to the fruits of often enormous amounts of time and energy. Users who have been indirectly affected have been denied access to accounts of which they are legitimate part-owners. More below on the broader implications for these users, which are also severe.

Steps to reproduce this security hole:

  • A social movement emerges, particularly when communication via
    Twitter is critical in the formation of the movement, and
  • The social movement is of the egalitarian, “Populism 2.0” format, as
    is typical of modern social movements, especially when Twitter is
    critical in their formation
  • The social movement emerges a shared commons, often involving a
    non-hierarchical, ownerless decision-making model, and its members
    begin to self-identify as a coherent but boundless network-format
    organization, either occupying and operating in real-life or solely
    via the Internet
  • The social movement agrees to create a Twitter account for occasions
    wherein they deem it appropriate to speak as one, through a certain
    agreed-upon method.

As soon as this account is created, this group is in trouble. The security hole exists immediately; the only variable is how long it will take to be overtly exploited.

Here’s the problem:

Whichever individual actor in this collective group creates the account will at that point possess a username and password that allows them to administer the account. This is a requirement of Twitter’s current design with regard to the authentication of ownership. However, the circumstances of the account’s ownership in this use case are that it belongs to everyone in this group. In lieu of a means provided by Twitter to accurately model this political dynamic, these users have already been forced to employ a workaround: allow a single person to hold the key.

You can see where this is going, I bet.

The key-holder may be obligated by the larger group to handle the key in a certain way to maximize access by its legitimate owners (the whole group), and the use-case I am describing branches out from here as a result. However, there are limited options of how (just two), and neither of them can be called even “relatively secure” with regard to their ability to keep the account owned by, and accountable to, the larger group that owns the account. Some options and their implications follow.

Share the username and password among all account owners. This could be considered secure with regard to the larger group’s access to the account, but it is absurdly insecure with regard to preserving ownership. Anyone can use the account at any time, but anyone can also seize the account at any time.

Use a facilitation layer like Hootsuite or a retweeting bot to give everyone access to the account while protecting the credentials. This could allow everyone to access the account. However, it does not change the fact that the account’s owner — whoever possesses the credentials — can seize the account or make decisions, enforced by technology, about how others use the account, regardless of any other legitimate owners’ consent.

Of the dozens of non-membership-based networked social movements who have often famously used Twitter both to express themselves to the world and to communicate between their participants, every single one of them is operating in one of these ways with regard to their collectively-owned Twitter and other social media accounts.

The results, then, are rather predictably ungood. Many Twitter accounts have been stolen outright by individuals or factions within these social movements, essentially cutting off the larger movement from their ability to access the social media capital they have built through hard work, organization, and effectiveness. Twitter has changed the game for movements like these, but so far the pattern is that they invariably lose access to everything Twitter has helped them build as a result of this security hole. Examples:

  • The two flagship accounts of the Occupy Wall Street movement have
    both been stolen in the last year by individuals who have cut off the
    movement from access and repurposed these voices to advance their own
    interests. They both have about 200,000 followers, more than either
    the Republican or Democratic party and more than almost every
    mainline left-wing political organization in the United States, and had been important
    seeds in the continued growth and evolution of the movement. Other,
    less critical #OWS accounts have fallen to the same fate.
  • Similarly, the Spanish #15M / Indignado/a’s flagship Democracia Real
    Ya! account was reportedly stolen by a faction within the group.
    Another faction stole its Facebook account.
  • An OccupySandy-related account was seized and renamed to become
    DetroitWaterBrigade so that its organizer could gain control of
    the followership.
  • One of anonymous’s ‘flagship’ accounts (YourAnonNews or
    YourAnonLive, not sure which) was stolen and, as I understand it,
    returned to the group by direct action by Twitter
  • Other accounts by groups large and small within the Arab Spring,
    15M, Occupy, Occupy Gezi (Turkey), #ChangeBrasil, and Syrian
    Revolution emergent uprisings have suffered or are at continual
    risk of suffering the same fate. (My poor multilingual Googling skills made
    it hard for me to confirm specific instances in these cases, but
    since the underlying use case is the same it is highly probable that
    it has occurred here as well. Some of these movements are also much
    more secretive than others due to higher amounts of political
    repression.)

Additionally, the lack of means of meaningfully distributing administrative influence has led to quite a bit of internecine conflict that did not otherwise appear within these groups, i.e. when dealing with tangible goods and making decisions over actions taken in the real world. These conflagrations can have negative influences on the group as a whole: minor to catastrophic internecine disagreements, bad and/or illegible PR, and — often after such situations accumulate within a group that has several affected assets — the complete fracturing of trust within part or all of the group/movement.

And even when such conflict is muted, delayed, or deprioritized, groups suffer from not being able to utilize their collective accounts the way they might want, i.e. using a custom ownership/facilitation layer to handle input on publishing and administrative decisions from a large-to-boundless number of people.

As you can see, this is both a technical and political problem. The easiest response to this bug report might be to simply not support this use case, based on the mistaken belief that the political dimensions of the problem are external to Twitter and are therefore not within Twitter’s control. Consider, however, if the situation were reversed: let’s say that Twitter provided no API, and instead incorporated something like Hootsuite into its structure in order to accommodate multiple users. However, unlike Hootsuite, this model is ownerless: once users are added, they have equal input into all decisions. Thus there is no ability for someone — say, a corporation — to hold an account and give access to several users while maintaining account security for themselves.

Such a design would work perfectly for the use case I have described above (though it would be best if the means by which decisions are made be up to those in the group, allowing for more flexible concepts of access, based on contributions and level of stakeholdership). However, Twitter’s many corporate users would find its services to be rather useless. They would not be able to fit their account into the political and structural assumptions of their enterprise. In this case, as in the current situation, the politics are baked, in part, into the design of Twitter itself.

My motivation for writing this report is as a representative user of this use case. As a participant and organizer in Occupy Wall Street, I was one of many who contributed to the operation of @OccupyWallSt, and many other of my comrades participated in the more recently-stolen @OccupyWallStNYC. Without either of these accounts, Occupy Wall Street can no longer speak to the world through its directly democratic, egalitarian, public-facing processes. Their seizure is a major loss to the movement. In the case of the second account, it had been operated collectively by a non-hierarchical group of people, accountable to the public-facing New York City General Assembly, since late 2011 and until this past August.

I would appeal to Twitter to return at least the second account to the group that had held it until its seizure, but that’s not going to solve the many other iterations of this problem. I have some ideas for solutions, but I wanted to find a way to put the issue on the table.

Please let me know if you have any clarifying questions or requests for documentation. Thank you very much for reading and considering this security hole.

Cheers,
DiceyTroop


#2

Thanks for your extensive post. I’m going to count this as “off-topic” and close the thread.

  • this forum is discussion of programmatic access to our OAuth security mechanism, intended for developers.
  • to report account access or security issues, please use our support forms, we cannot provide assistance of this kind here.
  • to report vulnerabilities please use our bug bounty program.

#3