You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
So yeah, it was just compromised internal credentials with the ability to take over user accounts. This is a big no-no and clearly the controls around those internal tools were woefully inadequate. This points to deficient security culture inside Twitter.https://twitter.com/TwitterSupport/status/1283591848729219073 …
Also, that the internal account takeover happened at *all*, presumably remotely, is inexcusable in 2020. If your corporate authentication does not require non-spoofable 2FA (e.g. U2F/WebAuthn) to achieve this level of access, you are doing many things wrong.
And apparently Twitter is retaliating against users tweeting screenshots of the internal tool (even censored of private info), which speaks volumes as to their priorities during this kind of massive security incident.
Remember this is apparently a *support tool*. The issue of insider access from *engineers* is a tricky one, because ultimately engineers need to be able to engineer the system. It's possible, but tricky, to build sufficient controls around engineering procedures.
But support tools? There should be high-level overrides for all of that stuff, and auditing up the wazoo, at the very least a kill switch that is always accessible to on-call engineers/security team. It should've taken minutes to identify and lock out the attack.
There is absolutely no reason why anything someone working for Twitter support does shouldn't be immediately identifiable, controllable, and reversible by someone at a higher level, on-call, as soon as it happens. We have access hierarchies for a reason.
Still just o Rails app?
Nothing big you know. Definitely not a major leak of security.
Unfortunately a lot of the brains behind these internet startups that become mainstream have little to no security experience. Also little to no customer support experience either as I discovered with instagram.
Also quite concerning that they are actively censoring the screen shots from their admin tool which appear to show that they can shadow ban accounts and prevent them from trending.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
