Tag Archive for: twitter

Twitter glitch allows CIA informant channel to be hijacked


  • By Joe Tidy
  • Cyber correspondent

Image source, Getty Images

A cyber-security researcher has exploited a glitch on the CIA’s official Twitter account, to hijack a channel used for recruiting spies.

The US Central Intelligence Agency (CIA) account on X, formerly known as Twitter, displays a link to a Telegram channel for informants.

But Kevin McSheehan was able to redirect potential CIA contacts to his own Telegram channel.

“The CIA really dropped the ball here,” the ethical hacker said.

The CIA is a US government organisation known for gathering secret intelligence information, often over the internet, from a vast network of spies and tipsters around the world

Its official X account, with nearly 3.5 million followers, is used to promote the agency and encourage people to get in touch to protect US national security.

Biggest fear

Mr McSheehan, 37, who lives in Maine, in the US, said he had discovered the security mistake earlier on Tuesday.

“My immediate thought was panic,” he said.

“I saw that the official Telegram link they were sharing could be hijacked – and my biggest fear was that a country like Russia, China or North Korea could easily intercept Western intelligence.”

At some point after 27 September, the CIA had added to its X profile page a link – https://t.me/securelycontactingcia – to its Telegram channel containing information about contacting the organisation on the dark net and through other secretive means.

The channel said, in Russian: “Our global mission demands that individuals be able to reach out to CIA securely from anywhere,” while warning potential recruits to “be wary of any channels that claim to represent the CIA”.

Image caption,

Anyone clicking on the link was directed to Mr McSheehan’s Telegram channel

But a flaw in how X displays some links meant the full web address had been truncated to https://t.me/securelycont – an unused Telegram username.

As soon as Mr McSheehan noticed the issue, he registered the username so anyone clicking on the link was directed to his own channel, which warned them not to share any secret or sensitive information.

“I did it as a security precaution,” he said.

“It’s a problem with the X site that I’ve seen before – but I was…

Source…

SEC Probes Twitter Security Lapse Before Elon Musk Took Over


The Securities and Exchange Commission is investigating how Twitter Inc. managed a 2018 security lapse that exposed personal user information before billionaire Elon Musk bought the social media platform last year. The agency has been scrutinizing whether the former top executives failed to adequately disclose those privacy issues to shareholders or put in place proper controls, according to people familiar with the matter who asked not to be identified discussing a confidential investigation. A bug on the social media platform had let outsiders view user email addresses during password resets, which revealed the identity of users, said one of the people.

The executives in charge at the time included Twitter’s former Chief Financial Officer Ned Segal and former Chief Technology Officer Parag Agrawal, who became chief executive officer in 2021 after co-founder Jack Dorsey left the company. Dorsey was CEO in 2018.

It isn’t clear whether an enforcement action will result from the review or when it will wrap up, the people said. None of the former executives has been accused of any wrongdoing.

Agrawal and Segal were ousted last year after Musk purchased the company for $44 billion. Musk, who changed the platform’s name to X Corp., hired an outside law firm to do an internal investigation of complaints about lax computer-security measures at the company after he took over.

The SEC and a spokesman for Segal declined to comment. Spokespeople for X Corp. and Dorsey and a lawyer for Agrawal didn’t respond to requests for comment.

Twitter suffered several security breaches in 2018, including discovery of a computer virus that left users’ passwords exposed and a security flaw in Twitter’s system that made it possible to identify the country codes of Twitter users’ phone numbers. That misstep may have allowed wrongdoers to identify countries where accounts were based.

The SEC has been probing the actions of players in Musk’s controversial buyout of Twitter for months after questions arose about management of the social-media firm and the billionaire’s moves in acquiring it. The agency sued Musk Thursday seeking to force him to testify about whether his actions in the run-up to his Twitter…

Source…

Hacker responsible for 2020 Twitter breach sentenced to prison


Three years after one of the most visible hacks in recent history played out in real-time in front of millions of Twitter users, one of the hackers responsible for the breach will now serve time in federal prison.

Joseph James O’Connor, 24, was sentenced Friday in a New York federal court to five years in prison after pleading guilty in May to four counts of computer hacking, wire fraud and cyberstalking. O’Connor also agreed to forfeit at least $794,000 to the victims of his crimes.

O’Connor, a U.K. citizen, was extradited from Spain at the request of U.S. prosecutors earlier this year and has remained in custody since.

In the hearing, Judge Jed S. Rakoff said O’Connor will likely serve about half of his sentence after spending more than two years in pre-trial custody.

O’Connor faced a maximum of 77 years in prison, according to Reuters. Justice Department prosecutors called for O’Connor to serve at least seven years in prison.

In court, O’Connor said his crimes were “stupid and pointless,” apologized to his victims, and asked the judge for leniency.

According to prosecutors, O’Connor “used his sophisticated technological abilities for malicious purposes — conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim.”

The government said O’Connor, known by his online handle PlugWalkJoe, was part of a group that broke into dozens of high-profile Twitter accounts, including Apple, Binance, Bill Gates, Joe Biden and Elon Musk, to spread cryptocurrency get-rich-quick scams in July 2020.

O’Connor used phone-based social engineering techniques to trick Twitter employees into granting the group of hackers access to Twitter’s network. One of the other hackers convicted of the Twitter breach, Graham Ivan Clark, also known as Kirk, used the access to Twitter’s network to abuse an internal admin tool to hijack and reassign Twitter user accounts.

A screenshot of the Twitter admin panel that the hackers breached in order to reassign access to Twitter user accounts.

A screenshot of the Twitter admin panel that the hackers breached in order to reassign access to Twitter user accounts. Image Credits: TechCrunch…

Source…