Skip to main content
banner image
venafi logo

Concerned About Social Media Hijacks? Then Don’t Ban End-to-End Encryption.

Concerned About Social Media Hijacks? Then Don’t Ban End-to-End Encryption.

twitter hack
July 16, 2020 | Emil Hanscom

There was a wave of high-profile account takeovers on Twitter yesterday afternoon. The accounts of influential users and organizations, including: Bill Gates, Elon Musk, Barack Obama, Joe Biden, Apple, Uber and many more, were hijacked to tweet out nefarious messages in an attempt to lure unsuspecting users into a Bitcoin scam.
 

For a brief period, Twitter halted tweeting for verified users while they conducted an internal investigation on the cause. However, one of the hijackers allegedly behind the attack reached out to Vice’s Motherboard with their own explanation.
 

According to Motherboard:

“’We used a rep that literally done all the work for us,’ one of the sources told Motherboard. The second source added they paid the Twitter insider...The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard…
The screenshots show details about the target user's account, such as whether it has been suspended, is permanently suspended, or has protected status.”

 

 

While the Bitcoin scam is troubling (the perpetrators received more than $100,000 within the first several hours of the takeovers), security industry leaders are deeply concerned about the attacks’ implications. If the hijackers could directly post and change the passwords/emails of these accounts, did they have full access to other features such as direct messages?

 

Here's a question about the twitter compromise today that hasn't yet been answered: With the internal twitter tools access the attackers had, could they also have viewed the target account's direct messages?
— briankrebs (@briankrebs) July 16, 2020

 

The national security impact of the account takeovers cannot be overstated. Meanwhile, lawmakers in the United States are currently demanding Twitter to provide more details on the account takeovers, and how they will prevent similar attacks in the future. Ironically, one of the most concerned officials is Sen. Josh Hawley (R-MO), who vocally supports the EARN IT Act, a bill that would make it illegal for online organizations to provide end-to-end encryption.

 

thinking about all the people whose jobs ... or frankly lives ... could be at risk right now if the Twitter hackers accessed DMs, and how easy it would have been for Twitter to implement end-to-end encryption to protect those people
— Evan Greer (@evan_greer) July 16, 2020

 

Due to the presumed nature and source of the attacks, traditional security methods like strong passphrases and 2-factor authentication would bring little relief. However, privacy experts argue that the best way to combat the fallout from future hijacks is to implement end-to-end encryption.

 

Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years.
— Eva (@evacide) July 16, 2020

 

Industry experts overwhelming support these assessments: end-to-end to encryption is a much-needed security tool and demands to break encryption overlook overwhelming risks. For example, according to a recent survey from Venafi, 74% of security professionals say countries with government-mandated encryption backdoors are more susceptible to nation-state attacks.
 

This story will continue to evolve over the next several weeks and months. However, this is a good opportunity to step back and examine the importance of encryption. The EARN IT Act has not been implemented yet, but these account hijacks should serve as a wakeup call for concerned lawmakers and citizens.
 

Related posts

Like this blog? We think you will love this.
ddos-attack
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more