{"id":15287,"date":"2020-12-03T09:05:06","date_gmt":"2020-12-03T08:05:06","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=15287"},"modified":"2020-12-05T00:16:47","modified_gmt":"2020-12-04T23:16:47","slug":"twitter-lockout-again","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2020\/12\/03\/twitter-lockout-again\/","title":{"rendered":"Twitter lockout, again"},"content":{"rendered":"\n

Status: 00:27 in the morning of December 4 my account was restored again.<\/strong> No words or explanations on how it happened – yet.<\/p>\n\n\n\n

This morning (December 3rd, 2020) I woke up to find myself logged out from my Twitter account on the devices where I was previously logged in. Due to “suspicious activity” on my account. I don’t know the exact time this happened. I checked my phone at around 07:30 and then it has obviously already happened. So at time time over night.<\/p>\n\n\n\n

Trying to log back in, I get prompted saying I need to update my password first. Trying that, it wants to send a confirmation email to an email address that isn’t mine! Someone has managed to modify the email address associated with my account.<\/p>\n\n\n\n

It has only been two weeks since someone hijacked my account<\/a> the last time and abused it for scams. When I got the account back, I made very sure I both set a good, long, password and activated 2FA on my account. 2FA with auth-app, not SMS.<\/p>\n\n\n\n

The last time I wasn’t really sure about how good my account security was. This time I know I did it by the book. And yet this is what happened.<\/p>\n\n\n\n

\"\"
Excuse the Swedish version, but it wasn’t my choice. Still, it shows the option to send the email confirmation to an email address that isn’t mine and I didn’t set it there.<\/figcaption><\/figure><\/div>\n\n\n\n

Communication<\/h2>\n\n\n\n

I was in touch with someone at Twitter security and provided lots of details of my systems , software, IP address etc while they researched their end about what happened. I was totally transparent and gave them all info I had that could shed some light.<\/p>\n\n\n\n

I was contacted by a Sr. Director from Twitter (late Dec 4 my time). We have a communication established and I’ve been promised more details and information at some point next week. Stay tuned.<\/p>\n\n\n\n

Was I breached?<\/h2>\n\n\n\n

Many people have proposed that the attacker must have come through my local machine to pull this off. If someone did, it has been a very polished job as there is no trace at all of that left anywhere on my machine. Also, to reset my password I would imagine the attacker would need to somehow hijack my twitter session, need the 2FA or trigger a password reset and intercept the email. I don’t receive emails on my machine so the attacker would then have had to (also?) manage to get into my email machine and removed that email – and not too many others because I receive a lot of email and I’ve kept on receiving a lot of email during this period.<\/p>\n\n\n\n

I’m not ruling it out. I’m just thinking it seems unlikely.<\/p>\n\n\n\n

If the attacker would’ve breached my phone and installed something nefarious on that, it would not have removed any reset emails and it seems like a pretty touch challenge to hijack a “live” session from the Twitter client or get the 2FA code from the authenticator app. Not unthinkable either, just unlikely.<\/p>\n\n\n\n

Most likely?<\/h2>\n\n\n\n

As I have no insights into the other end I cannot really say which way I think is the most likely that the perpetrator used for this attack, but I will maintain that I have no traces of a local attack or breach and I know of no malicious browser add-ons or twitter apps on my devices.<\/p>\n\n\n\n

Details<\/h2>\n\n\n\n

Firefox version 83.0 on Debian Linux with Tweetdeck in a tab – a long-lived session started over a week ago (ie no recent 2FA codes used), <\/p>\n\n\n\n

Browser extensions: Cisco Webex, Facebook container, multi-account containers, HTTPS Everywhere, test pilot and ublock origin.<\/p>\n\n\n\n

I only use one “authorized app” with Twitter and that’s Tweetdeck.<\/p>\n\n\n\n

On the Android phone, I run an updated Android with an auto-updated Twitter client. That session also started over a week ago. I used Google Authenticator<\/em> for 2fa.<\/p>\n\n\n\n

While this hijack took place I was asleep at home (I don’t know the exact time of it), on my WiFi, so all my most relevant machines would’ve been seen as originating from the same “NATed” IP address. This info was also relayed to Twitter security.<\/p>\n\n\n\n

Restored<\/h2>\n\n\n\n

The actual restoration happens like this (and it was the exact same the last time): I just suddenly receive an email on how to reset my password for my account.<\/p>\n\n\n\n

The email is a standard one without any specifics for this case. Just a template press the big button and it takes you to the Twitter site where I can set a new password for my account. There is nothing in the mail that indicates a human was involved in sending it. There is no text explaining what happened. Oh, right, the mail also include a bunch of standard security advice like “use a strong password”, “don’t share your password with others” and “activate two factor” etc as if I hadn’t done all that already…<\/p>\n\n\n\n

It would be prudent of Twitter to explain how this happened, at least roughly and without revealing sensitive details. If it was my fault somehow, or if I just made it easier because of something in my end, I would really like to know so that I can do better in the future.<\/p>\n\n\n\n

What was done to it?<\/h2>\n\n\n\n

No tweets were sent. The name and profile picture remained intact. I’ve not seen any DMs sent or received from while the account was “kidnapped”. Given this, it seems possible that the attacker actually only managed to change the associated account email address.<\/p>\n","protected":false},"excerpt":{"rendered":"

Status: 00:27 in the morning of December 4 my account was restored again. No words or explanations on how it happened – yet. This morning (December 3rd, 2020) I woke up to find myself logged out from my Twitter account on the devices where I was previously logged in. Due to “suspicious activity” on my … Continue reading Twitter lockout, again<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":15206,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,8],"tags":[428,498],"class_list":["post-15287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-tech","tag-security","tag-twitter"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/15287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=15287"}],"version-history":[{"count":22,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/15287\/revisions"}],"predecessor-version":[{"id":15337,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/15287\/revisions\/15337"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/15206"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=15287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=15287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=15287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}