Forgot your password?
typodupeerror
Twitter Security IT

How To Hack Twitter's Two-Factor Authentication 58

Posted by timothy
from the there-can-be-only-one-or-two-or-whatever dept.
An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."
This discussion has been archived. No new comments can be posted.

How To Hack Twitter's Two-Factor Authentication

Comments Filter:
  • worse problem? (Score:5, Insightful)

    by mcmonkey (96054) on Friday May 24, 2013 @09:10PM (#43818433) Homepage

    the problem is worse than that, a lot worse

    Problem? Worse? This is twitter we're talking about right?

    If sending an unencrypted email is like sending a postcard (kids, ask your parents) in pencil, twitter is like a sign you stick in your lawn.

    Anyone can drive by and stick a sign in your lawn, make it look like you support any cause, or take any sign you've put out.

    Now if people put undue weight to those signs, it they swing the markets, then the issue--the problem--is people who don't know the difference between reliable and unreliable sources.

    The problem isn't twitter, it's employees in the media and so-called journalists who'd rather sit on their bum checking their cell phone than go out and do their job.

    • Seriously who gives a fuck about twitter and who puts so much weight into what is said?

      • Re:Thank you (Score:5, Insightful)

        by Zerth (26112) on Friday May 24, 2013 @09:49PM (#43818667)

        As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

  • My twitter account, like all my others(like banking etc) are tied to my various gmail accounts, which are also two-factor authenticated. So in order to change my password for example on my twitter account, you would need to hack into my twitter account then hack into my gmail account(password + 2-factor auth.) to check the email so that you can change the password.

    I don't know if this makes it more difficult or if i should hold out.
  • by TrumpetPower! (190615) <ben@trumpetpower.com> on Friday May 24, 2013 @09:51PM (#43818679) Homepage

    The two-factor authentication is supposed to protect against a man-in-the-middle attack. The problem is that the verification response from the second factor goes back through the same already-compromised channel.

    Imagine you're a sophisticated vilain in some backwater part of the world. You notice there's an AP reporter there doing some long-term investigative journalism, and said reporter likes to file his reports from a particular internet cafe.

    You hack the cafe's wifi and somehow convince the reporter that his Twitter account has already been hacked -- say, by showing him a tweet in his name of something outrageous. The reporter, panicked, resets his account -- but does so through your fake Twitter authentication. You now capture both his password and the second factor sent through his text message; you now own his Twitter account.

    And you now go ahead and actually send out some outrageous tweet as this particular reporter. Perhaps you pull off your attack while some very important person is visiting, and you report said person's assassination. You know this will crash the markets, and so you short all the proper stocks and make a killing...on the market.

    Is it wise for people to have the trust they do in Twitter? Hell no. Do they have such trust anyway? Yes.

    Which is why this is a big deal.

    Cheers,

    b&

    • by Anonymous Coward

      The two-factor authentication is supposed to protect against a man-in-the-middle attack.

      This is a fundamental misunderstanding of the security model. The attack you describe should be obvious to anyone who took any time to think about it. Two-factor authentication does nothing against man-in-the-middle attacks or phishing attacks, it prevents replay attacks. That is, to attack 2FA, you need to do the attack in real time and don't get another chance to use the credentials latter (unless, as you describe, the attacker is able to change the password, but I've never encountered a system attempting

    • by Anonymous Coward

      Mod parent down, for not having a clue what s/he's talking about.

      No, 2FA is not supposed to protect against MitM. Some versions of it might, but 2FA in and of itself isn't required to do that. It is only required that two factors of authentication be used:
      * something you have
      * something you know
      * something you are

      What 2FA *is* supposed to do is (a) provide greater assurance that a person is who they say they are, (b) make it harder to steal credentials, (c) make it easier to detect that credentials are st

  • Everything that happened in there is legit. He probably used some type of defense called Hawk to deal with Twitter hacks.
  • by 140Mandak262Jamuna (970587) on Friday May 24, 2013 @09:55PM (#43818695) Journal
    The fundamental problem here is that the user logs into a fake twitter site and gives the login credentials. Then gives the second factor authentication too. This scenario can not be protected against no matter how many factors you use. In fact if I keep logging into a fake google site and keep entering all the credentials how can google stop it?
  • Anything more than a Single Factor is useless for security. Two Factors means it's certainly not a prime!
  • by Anonymous Coward

    "You can't make anything idiot proof because idiots are so ingenious"

  • by kju (327) on Saturday May 25, 2013 @12:17AM (#43819241)

    Instead of using some custom two-factor authentication which is bound to a specific phone, they should use TOTP (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm). Then the same shared secret could be configured into several token generators (e.g. Google Authenticator on Android).

    TOTP seems to become the standard for two-factor authentication, given that both Facebook and Google use this (Facebook provides its own limited code generator with their App) and also quite a few other significant services (e.g. Dropbox, Amazon AWS).

    Google also provides a pam module for TOTP which allows one to setup TOTP for own services. I tried that yesterday: Installed the PAM module and added a key into Google Authenticator. Result: TOTP secured SSH login (by using normal account password with the token appended). TOTP support can also be added to non-PAM capable applications, for example a TOTP extension for Mediawiki exists. I tried that one as well and it is working great.

    Google Authenticator App allows one to configure more than one account, so you can secure different services with TOTP and still have one central token generator App.

  • It's the users fault for entering their credentials in a fake site. There should be SSL when you enter your password on twitter. That means there should be a verification icon in the URL bar with "Twitter, Inc [US]" on it.

    • Unfortunately, most users still can't think to consider such a simple step. Most browsers now offer to cache login credentials. What the browsers should really do with the heuristics which detect a login prompt is add a warning that the credentials are being entered into a site without SSL or with a mismatched certificate. Certificate exceptions should of course be easy to store as they are now, after a one time prompt.
  • You don't need N-factor authentication to be secure, the problem is most companies implented half a-- 1 factor to begin with, and instead of fixing their authentication decide to implement half a-- 2 factor authentication. If you don't do it correctly it doesn't matter how many factors you think are cool in meeting rooms
  • by msk (6205)

    None of these organizations have direct inward dialing?

    How far behind the times are they?

Forty two.

Working...