Hackers Prove How Easy It Is to Take over Twitter Accounts by Hijacking Jack Dorsey's Profile

What are the consequences of a compromised social network account? It's fair to say that it largely depends on who owns the said account. For most regular users, it's but an inconvenience which, provided they pay enough attention to their online security, shouldn't cause too much pain. For people who have many followers and make money out of their social media presence, the impact is much more significant.

When a person in charge of a social media website gets their account compromised, however, the level of embarrassment, both for the said person and for the platform they look after, is truly enormous. Co-founder and CEO of Twitter Jack Dorsey knows this feeling all too well.

On Friday, Dorsey's 4.2 million followers on Twitter suddenly witnessed an unusual stream of tweets. It was unusual for two different reasons. First, although he runs the platform, Dorsey isn't exactly the most active Twitter user in the world, and he rarely posts multiple updates within a short time frame. More importantly, however, the tweets weren't really befitting the CEO of a major Silicon Valley company. They contained racist slur and messages that are completely out of context. People immediately suspected that Dorsey's account might have been hacked, and the #ChucklingSquad hashtag cleared all doubts.

As The Verge pointed out, Chuckling Squad is a group of cybercriminals trying to make a name for themselves by hacking the accounts of a number of celebrities and social media personalities, and Jack Dorsey is their most high-profile victim to date. The rogue tweets were swiftly removed, and Twitter admitted that its CEO had indeed had his account compromised. But how did the Chuckling Squad do it?

Jack Dorsey fell victim to a SIM swapping attack

Dorsey is far from the first Silicon Valley CEO to have his social media profile hijacked. A couple of years ago, hackers famously broke into multiple accounts that belonged to Mr. Social Network himself, Mark Zuckerberg. They did it after figuring out that Facebook's CEO isn't a huge fan of two-factor authentication and uses a woefully simple password to protect his accounts.

In fact, the feeling of losing control of your account at your very own platform isn't new for Jack Dorsey, either. In 2016, cybercriminals exploited some unused third-party apps to send a few rogue tweets on Dorsey's behalf.

During Friday's attack, however, the crooks didn't use a third-party app, and they didn't guess Dorsey's password either. Instead, they took over the account using a technique called SIM swapping.

In a SIM swapping attack, the criminals convince mobile service providers to issue a new SIM card associated with the victim's phone number. That way, they have control over the said phone number and can impersonate the target. In the case of Jack Dorsey, they also posted tweets on his behalf.

They were able to do that because Dorsey's microblogging platform has had a feature called "Twitter via SMS" for a while now. It is available to users in quite a few countries, and as you might imagine, it lets account owners send texts which appear as tweets on their profile. Using a set of commands, they can also retweet and like updates by other people, follow, block, and send direct messages to other accounts. After hijacking Jack Dorsey's phone number, the criminals were able to do all these things as well.

Twitter says it's not to blame

In the wake of the attack, Twitter said in a series of tweets that the whole thing was the result of "a security oversight by the mobile provider". The communications team announced that Twitter's own systems have not been compromised and decided not to reveal what sort of mechanisms would be preventing similar attacks in the future.

It basically sounds like Twitter thinks that all the blame should be laid on the mobile service provider's doorstep, which is controversial at best. Indeed, Dorsey's telco didn't do enough to protect his phone number, and this in itself is pretty worrying considering the amount of damage that can be achieved using a single hijacked number.

On the other hand, however, online services like Twitter should do whatever they can to limit this damage as much as possible, and the way the microblogging website responded to the attack doesn't really suggest that it's taking this responsibility very seriously. SIM swapping is a fairly old trick now, and it should be a part of everyone's threat model. Unfortunately, telecommunications providers are certainly lagging behind when it comes to prevention, and if anything, this should be even more of an incentive for security people to do everything they can to protect us.