Failures in Twitter’s Two-Factor Authentication System

Twitter is having intermittent problems with its two-factor authentication system:

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twitter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter’s offerings and build new features per new owner Elon Musk’s agenda.

On top of that, it seems that the system has a new vulnerability:

A researcher contacted Information Security Media Group on condition of anonymity to reveal that texting “STOP” to the Twitter verification service results in the service turning off SMS two-factor authentication.

“Your phone has been removed and SMS 2FA has been disabled from all accounts,” is the automated response.

The vulnerability, which ISMG verified, allows a hacker to spoof the registered phone number to disable two-factor authentication. That potentially exposes accounts to a password reset attack or account takeover through password stuffing.

This is not a good sign.

Tags: , , , , , ,

Posted on November 17, 2022 at 5:53 AM29 Comments

Comments

Beatrix Willius November 17, 2022 6:53 AM

Thanks so much for making my day. Who knew that people working at Twitter actually did something?

Joe November 17, 2022 8:00 AM

I wonder if this is a new vulnerability or just newly discovered vulnerability that happened to make the news in a convenient time.

Rob November 17, 2022 8:23 AM

There’s another vulnerability I’ve read about. They blocked name changes to verified users, but you can potentially get around it by rapidly clicking “Save”

Frank B. November 17, 2022 9:21 AM

Inside the Chief Twits head there are two pigeons fighting over a french fry. Just wave something shiny in front of his eyes and they’ll get distracted and move on to something new.

Norio November 17, 2022 2:52 PM

This is not a good sign.

That is one of the best understatements I’ve seen.

@Untitled–the comet was penetrating the solar system at the time, and that’s pretty intimate content.

SpaceLifeForm November 17, 2022 5:13 PM

Re: Mastodon

I’ll just note that Mastodon does not do SMS 2FA which is good.

That said, if you are going to roam into the various swamplands to drink the water, I would NOT set up 2FA on Mastodon. Stay on solid ground, and use a long complex password.

‘https://sts10.github.io/2022/11/11/mastodon-two-factor-authentication.html

‘https://sts10.github.io/2022/11/12/mastodon-2fa-security-key.html

Note that in order to go the hardware security key route, you must have already taken the software authentication route to get there.

This is not optimal path.

Some dude did not get the memo.

‘https://apnews.com/article/62c9ed67a1e70fb59da3ccb75c2b5212

Ted November 17, 2022 6:49 PM

I’m really looking forward to a podcast episode featuring Jerry Bell, the administrator of the infosec.exchange Mastodon instance.

It should be coming out soon on the Redefining Cybersecurity podcast.

https://infosec.exchange/@seanmartin/109356084690447792

Apparently Jerry is an IBM Public Cloud VP and CISO. So says LinkedIn. But you wouldn’t know it based on his infosec.exchange profile and his very down-to-earth interactions on the platform.

https://infosec.exchange/@jerry/109356542388834164

Clive Robinson November 17, 2022 8:13 PM

@ Frank B., AlanS, ALL,

Re : Inside the Chief Twits head

Remember they are also a speed freak who has left the wheelhouse…

Nobody has a clue about direction or destination only that they will get there way faster than is safe.

Some of the “hold rats” have been offered a deal to “jump ship” so the Chief can get more speed.

Arguably it might be the best offer of their life such as it is currently. As for the passengers, well mostly they are along for the white finger ride, as they have a death grip on the deck rails and rigging with a prayer on their lips or fervent hope that singing “Rock of Ages” will be the only rock they come into contact with…

Ismar November 18, 2022 12:04 AM

General comment- over the years, hugely disproportionate ratio of negative security stories at this blog would indicate complete meltdown of the digital infrastructure- yet, here we are using the same infrastructure more then ever (including this blog) and managing to move forward which should make us think about our biases in this regard
To me it feels a bit like an overly critical parents not seeing how much their children have actually achieved

SpaceLifeForm November 18, 2022 3:51 AM

@ Ismar

Re: negative security stories

They are a positive. They keep people on their toes. Problems must be discussed, otherwise they will be ignored.

There is no utility in pointing out that XYZ Org was not hacked yesterday.

AlanS November 18, 2022 7:05 AM

I have read various estimates that Twitter will have shed close to 90% of its employees before the end of the month. Lots of Musk fans seem to think he must have a “cunning plan”. To my eyes it looks more like he has no idea how to run a social media platform, unless the plan is to drive it into the ground as rapidly as possible.

Clive Robinson November 18, 2022 11:22 AM

@ Ismar, ALL,

Re : Growing Pains.

“yet, here we are using the same infrastructure more then ever (including this blog) and managing to move forward which should make us think about our biases in this regard”

Actually are very far from using the same infraatructure, when did you last see a real acoustic modem and RE232 port in use on analog land lines?

What has happened was originally we did not actually have the technical resources to run things in a properly designed way. Thus the protocols and standards were bereft of nearly every security feature we now consider critical to privacy.

Over time as hardware resources have improved two things have happened,

1, Massive increase in user features
2, Minimal to no increase in security.

It was only when “public shaming” became common and corporate lawyers told the C-suits “using legislation against free speach will cost more than cleaning your code up” that things started to change.

But there are still two problems,

1, Managment driven by marketing only want to move forward as fast as possible on features.

2, Coders can not keep up and managment don’t have time for testing. Thus organisations leave increasing technical debt behind.

That technical debt if you know about it properly can keep you “job safe” as other people have to come to you. In some coubtries –Japan and South Korea to my certain knowledge– there is an implicit culture of keeping information to yourself as it gives you power. For those old enough to have braved Microsoft’s MFC thirty years ago[1] you will know the problem as it was so awful that many coders invested so much of their own personal time in it they wanted “pay back” so they too kept details secret, thus gained power and as they thought job security.

The thing is that there is a joke about the rush to get code out the door as fast as possible “because the techbical debt tsunani is pushing it”

People are expressing “shock horror” at the moment about Twitter’s dirty secrets coming out. The fact is it should not shock anyone who’s had experience of certain types of large “investor driven Corps”

The trick for sebior managers is to hide it as much as possible grab their share options and get the heck out of dodge before the Tsunami does catch up.

I’ve said this about managment with “big projects” being used to “jump up” the corporate ladder. You promise miracles pull in the resources and just as the actual workers realise it’s a dog, the manager jumps ship to a new company. By the time new gets out about what a disaster the project was, that manager is two or three jobs ahead.

They have a fail safe argument strategy if asked… If the project is a success then obviously it was due to the managers vision and foundation work. If not it was due to the failings of those who followed not following the vision or correctly building on the foundations.

Start-up founders play a similar game as do the venture capitalists that back them. They build it up slap lipstick on it and keep selling and selling it as the investment money pours in. They then find an idiot to buy them out and walk away with not just enough money to live very comfortably for the rest of their life, but play the same game over and over, getting slicker with each turn of the wheel.

The result is that Tsunami of technical debt and impossible to secure features turns into an industry wide bubble. The thing about bubbles is they have two fates,

1, They burst and everyone still in takes a bath.
2, Some actually in it to build a furure do what they can to gently deflate the bubble.

Which happens depends on the managers and vebture capitalists assisted by the stupidity of certain types of investors.

The result though as we are seeing is the Techs either get no credit or carry all the blaim… Either way they are “out the door” unless they have “secret power” that makes them “to important to push” out the door or under the bus…

So yeh we’ve lots of problems and we are still not solving them. This current social media bubble was well on the way to bursting befor Elon Musk got what most consider “A fit of the crazies”.

The thing is history shows that all new tech from vlack tulips through digging cannals onwards through steam, railways, telegraphs, telephones, power generation, radio system etc even cryptography and more recently “crypto-coins” and the blockchain have had investor bubbles, often upto three in succession untill either the market splits into other markets or some level of stability is achieved even if it is zero further market.

All that realy matters is that you are aware of it and you get your timing right so you don’t get the cold bath…

[1] But all things come to pass and the MFC of thirty years ago is now but a memory to the few and a “campfire story” for most. But though less used MFC is still with us and the latest update was oh nine days ago… And yes people still keep secrets about it…

MikeA November 18, 2022 12:03 PM

I wouldn’t say we are still using the same infrastructure.

From where I sit, pretty much nothing (other than museum pieces) is “the same” as it was a month ago, let alone years. And it appears that very little testing is done before it is fired-and-forgotten at the “user” (victims)

Right now I am trying to understand what my ISP is trying to say about
my email. They say “some devices may not work” with their new mail scheme, but won’t say why (although the characters “tls” appear in a url that points to a page that doesn’t discuss it). Or what sort of devices, or how old the device or OS might be.

They generously offer to let me access my email via a web interface, but not when that might be working. And they provided a “testing address” that does sod-all when tested.

“Same” I could wish.

Fuelon November 18, 2022 1:22 PM

Please EM, keep doing whatever you’re doing!

I don’t think Twitter employees have done anything to sabotage EM. EM is the sole author of the meltdown we are witnessing at Twitter.

Please pass the popcorn.

Clive Robinson November 18, 2022 2:32 PM

@ Fuelon,

Re : Popcorn

“Please pass the popcorn.”

We are a capatalist “democracy” run by libertarians so bring your own 😉

Even in Roman times only the Romans in Rome got “bread and circuses”.

SpaceLifeForm November 18, 2022 9:47 PM

@ AlanS

https://www.emptywheel.net/2022/11/18/three-things-twitter-death-watch-in-progress/

FYI: You do not need to go thru the effort of creating a link using href, you just cut and paste the URL, and it will magically turn into a clickable link after Submit by the blog software.

You can defeat that behavior by prepending a single or double quote.

‘https://www.emptywheel.net/2022/11/18/three-things-twitter-death-watch-in-progress/

“https://www.emptywheel.net/2022/11/16/three-things-the-early-bird-got-wormed/

The advantage of the prepend is that the reader can not accidentally click on it (or touch it on mobile). And on mobile, the reader may not want to pull it up because they want to save on their data plan. Especially, if it is a youtube video for example. So, it forces you, the reader, to make a conscious decision to cut and paste the URL into another browser window or tab.

‘https://t.co/elon

That is a youtube video, but you can not tell by just parsing the URL.

It redirects to

‘https://www.youtube.com/watch?v=dQw4w9WgXcQ

Ismar November 19, 2022 12:07 AM

Thanks to those who commented on my general remark (although I think there was some confusion about the intended usage of the word ‘same’)
I now think I may have the answers to the (apparent) paradoxical nature of the relationship between the tendencies of this blog to paint a gloomy picture of the digital (and all other ones impacted by it) security , and the actual fact that we can still drive so much benefit from it.
Namely, the reason it is still functioning despite obvious shortcomings is that we are borrowing from the vast (but not unlimited) pool of robustness inbuilt into our own mental and physical resilience afforded to us by long evolutionary process.
However, as the vulnerabilities become more frequent and severe in their nature (perpetuated by the level of the digital integration with our everyday existence) there will be a point where our adaptive ability will fail and we will, as a species, cease to exist (or at least suffer a huge blow which will limit us to basic survival for centuries to come)
Bleak enough for this blog?

SpaceLifeForm November 19, 2022 1:11 AM

@ Ismar

Accurate.

It may be bleak, but we do what we can do, hopefully help others, and soldier on. I hope that is what people that care about society do.

lurker November 19, 2022 4:04 PM

@SpaceLifeForm, re deathwatch

If as EW reports the whole of payroll and taxes is MIA then we might expect IRS to be hovering around the crater?

Clive Robinson November 19, 2022 7:25 PM

@ Ismar, SpaceLifeForm, ALL,

“Bleak enough for this blog?”

This blog is not bleak or gloomy, if you look you will see much humour tucked away. But the subject matter unfortunately frequently not just bleak and gloomy, it can be worse a lot worse as unfortunately it often involves pain suffering and loss, and these days has escalated close towards if not crossed the line to death, thus effectively be murder.

Look at it this way,

“Medical science is driven forward by untimely death and disability”

Both of which are bleak and gloomy and we all currently face one way or another, the only real questions being “When?” and “How unpleasently?”.

In order to limit the death and disability from impairing the community untimely, the practitioners have to figuratively and sometimes actually immerse themselves to the elbows[1] in blood, guts, gore, and bodily emissions and much else to understand the drivers of disease and how to change, limit, or prevent them.

What we discuss here is often years if not decades ahead of what eventually happens. The fact that we as a community get it right so often and so far in advance of most others in ICTsec and the ICT industry and academia is we openly discusse the little things that join up to be major things down the line…

Yesterday our host had a thread about a successful attack on an aledgedly proven safe / secure system “Time-Triggered Ethernet”(TTE) specified in SAE AS6802 and used in vehicles where small issues make big holes in the ground and people.

As I pointed out[2] the issue was possible because,

“The problem arises because TTE does something incredibly dumb.”

So dumb it has been repeatedly discussed on this blog in the past with regards ICT security failings.

Worse in their proofs of security they had compleatly ignored a whole class of attack (Active EM Fault Injection). Which has also been discussed on this blog almost from the first threads…

The TTE specification came about in 2011 long after these security failings had been publically discussed…

As I’m known to observe from time to time, one of the most obvious characteristics of the ICTsec industry is the fact that,

It does not learn from even it’s very recent history.

In fact it’s rare to find ICTsec history being taught.

I know there are atleast six Professors who read this blog, yet even they do not teach ICTsec history to any great extent. In fact the number of books on the subject is very small, and can probably be counted on one or maybe two hands over the entirety of this century…

Now that is a good reason to be despondent and gloomy because all it promises is a bleak future…

But will it be “existential” I personally don’t think so. Why? Because I do study “industrial history” out of personal interest, and the one thing that has always happened so far with technology, is that when lives get lost, people get upset, which means others get “politically” upset and technology gets it’s wings clipped to keep it’s feet firmly on the ground.

[1] Or worse… An early test for the then fatal Diabetes Mellitus was for the doctor to tast the patients urine for “sweetness” (Diabetes Mellitus translates more or less as “sweet night urination”. Though sniffing the halitosis and sweat for sweet acetone / pear drop oders for signs of near fatal ketosis also works.

[2] https://www.schneier.com/blog/archives/2022/11/successful-hack-of-time-triggered-ethernet.html/#comment-412629

Clive Robinson November 19, 2022 8:19 PM

@ lurker, SpaceLifeForm, ALL,

Re : Implosion crater.

Read what has been said on Empty Wheel carefully.

With regards,

“If as EW reports the whole of payroll and taxes is MIA”

Not so much MIA but “locked out”

Piecing things together,

1, A lot of staff have been terminated.
2, Some have been called back.
3, Some are “home working”
4, The office is locked but somebody left the lights on.

It’s important to note the last two. As I understand it the “support staff” like cleaning got terminated(1), necessitating the office to be closed(4) hence some admin staff are working from home(3).

Whilst this will show immediate savings on “pay role” which will please investors and similar, it will create confusion and thus slow things down as well as being more costly in the long term, but that’s not “this quaters” worry.

Elmo has to make this quaters figures look “magic” and I suspect they will indeed look interesting.

However whilst investors are the immediate issue falling add revenue is the real concern. I think atleast six of the biggest advertisers have publicly said they have put a temporary hold on Twitter advertising. There is no way that can not hurt, but that won’t come through untill next quaters figures.

That gives Elmo a three month window to try and get the advertisers back on line.

He has way to many “balls in the air” and some will inevitably have to get dropped. The question is which will bounce and which will splat if only those that will bounce get dropped then they can still be caught at a later time.

One thing Elmo can do is digg out dirt on previous office holders and use it to show regulators that they had to go.

It’s acceptable to turn bad apples out of a barrel, even if it makes the barrel come up well short. The view point being half a barrel of good apples is better than an entire barrel of rotten apples.

This show is probably far from over, and there are so many snakes involved that the twists and turns are going to be a great many.

When you get to play games at this level it’s all about showmanship and presentation and talking your way ahead of others so the legal and other teams can have time to back stop your play.

Whilst there are a lot of rats in the bag, the cats in there with them are more intent on fighting each other. If I was in that bag, I’d be looking not just for a quick way out, but by a route the cats can not follow.

I suspect that Twitter 2.0 can not arise from any current staff, because of either “non compete” or other clauses in their contracts. Most will be constrained by the legal notion that any ideas they have over the next couple of years will be because of what they learned at Twitter, thus legaly belongs to Twitter. Future employers will be mindfull of this because of what has happened in the “self-drive” area.

SpaceLifeForm November 19, 2022 9:36 PM

@ Clive, lurker, ALL

Re: Twitter implosion

As I said, I do not believe Twitter will die.

There are tweepers that are not locked out. More than you would guess.

They are working from home even though their badges may not be working.

Connect dots. I have dropped a hint previously.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.