How To Hack Twitter's Two-Factor Authentication 58
An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."
It actually is a big deal (Score:5, Interesting)
The two-factor authentication is supposed to protect against a man-in-the-middle attack. The problem is that the verification response from the second factor goes back through the same already-compromised channel.
Imagine you're a sophisticated vilain in some backwater part of the world. You notice there's an AP reporter there doing some long-term investigative journalism, and said reporter likes to file his reports from a particular internet cafe.
You hack the cafe's wifi and somehow convince the reporter that his Twitter account has already been hacked -- say, by showing him a tweet in his name of something outrageous. The reporter, panicked, resets his account -- but does so through your fake Twitter authentication. You now capture both his password and the second factor sent through his text message; you now own his Twitter account.
And you now go ahead and actually send out some outrageous tweet as this particular reporter. Perhaps you pull off your attack while some very important person is visiting, and you report said person's assassination. You know this will crash the markets, and so you short all the proper stocks and make a killing...on the market.
Is it wise for people to have the trust they do in Twitter? Hell no. Do they have such trust anyway? Yes.
Which is why this is a big deal.
Cheers,
b&