Tag Archive for: twitter

Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug • The Register

/in


The chunk of internal source code Twitter released the other week contains a “shadow ban” vulnerability serious enough to earn its own CVE, as it can be exploited to bury someone’s account of sight “without recourse.”

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that’s said to power Twitter’s For You timeline. This system was made public by Twitter on March 31, adding to the libraries of open source software it already released over years, long before Elon Musk took over.

That recommendation engine, we’d like to quickly note, seems more of a curiosity than anything else: while it shows what kinds of tweets and engagement are deemed important or harmful to Twitter, we’re not sure there’s enough there to do anything terribly practical with it, in terms of building your own social network or offering to improve Elon’s. It’s more marketing sauce than open source.

According to Lois’s study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter’s recommendation algorithm treats negative actions. 

As a result, Lois said, Twitter’s current recommendation algorithm “allows for coordinated hurting of account reputation without recourse.” Mitre has assigned CVE-2023-23218 to the issue.

Because this bug is in Twitter’s recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially “shadow-banned,” and won’t show up in recommendations despite the user being unaware they’ve been penalized. There seems to be no way to correct that kind of action, and it ideally shouldn’t be possible to game the system in this way, but it is.

Lois pointed to several examples of Twitter users encouraging mass follows and unfollows, blocking and other actions that have disproportionately negative weight on targeted accounts as examples that the behavior is being exploited in the wild. Lois also said apps such as Block Party, which allow Twitter users to mass-filter accounts, are formalized tools that – whether intentional or not – end up having…

Source…

Twitter silent as hackers scam users with stolen high-profile verified accounts

/in


Looking at Jase Robertson and David Dayen, you wouldn’t think the two of them have much in common. Robertson is known for his time on the A&E reality TV show Duck Dynasty. He currently hosts a show on the conservative digital outlet TheBlaze. David Dayen is a longtime progressive journalist and executive editor for The American Prospect magazine.

However, over the past few weeks, tweets from both Robertson’s and Dayen’s Twitter accounts have been sharing the exact same messaging.

Jase Robertson hacked

A tweet from Jase Robertson’s hacked Twitter account.
Credit: Mashable Screenshot

“Hello twitter family !” begins the tweets posted to both accounts. “I have 10 MacBooks that I will personally sign myself , that you can purchase for $600 and free Shipping ! First come first serve basis , and all proceeds will be going to charity ! MY DMS ARE OPENED IF INTERESTED”

Included in each account’s tweets is the exact same photo of a MacBook Pro sitting on wood flooring. What’s going on here? Have Dayen and Robertson put their political differences aside and start an Apple reselling business?

No. They’ve been hacked, along with a slew of other legacy verified accounts on the social media platform. And, Twitter has been silent on the matter. 

Even though some of these accounts have been hacked for weeks now, Twitter has not suspended the accounts, allowing the hackers to scam users of thousands of dollars, if not more.

David Dayen's hacked Twitter account

A tweet from David Dayen’s hacked Twitter account.
Credit: Mashable Screenshot

Dayen tells Mashable that he was originally hacked last summer after clicking on a malicious link which provided bad actors with access to his account. He says his account was quickly suspended by Twitter then, well before Elon Musk acquired the company. When he regained access about a month later, Dayen quickly activated two-factor authentication on his account. Enacting this security measure should’ve made another hack extremely difficult to carry out.

However, here the @ddayen Twitter account is, just 6 months later, hacked and scamming the platform’s users.

Followers are falling for the scams

Mashable heard from at least one of Dayen’s followers who got scammed after seeing Dayen’s tweets. This person saw a tweet…

Source…

What should Musk do to better secure Twitter users after 2FA goes away?

/in


In just two weeks, the ban on SMS two-factor authentication for non-subscribers on Twitter will go into effect, a move blasted by the majority of the security community.

While Twitter CEO Elon Musk has defended the move as a way to protect user security, most leaders aren’t buying it.

“Just from a purely pragmatic standpoint, this is basically stripping away the lowest threshold of 2FA out there without any sort of viable or easy replacement,” Andrew Shikiar, executive director of the FIDO Alliance, told SC Media.

SMS OTP has the benefit of being easy to use and without the need for users to set up an authenticator, all while bolstering password-only accounts. But the tool has a host of drawbacks, including an increased attack surface, the ability to be spoofed, and its codes are sent in plain text, just to name a few.

Twitter’s decision to ban the authenticator without payment led to outright mockery on its own platform, with many calling it a potential holiday for hackers.

Not only will it make users less secure, Shikiar said it’s unnecessary. Just because there may “be a business model behind it,” hidden behind the guise of innovation, does not make it the most cost-effective model. Standardizing remote ID identity verification, at a minimum, would be a better example of a shift that would actually lower costs, Shikiar said.

The laundry list of possible negative impacts of the controversial move is substantial, but there are a handful of positives: namely, that the company is working to move users away from SMS one-time password authentication. 

However, no one is defending the inherent vulnerabilities of OTP, as it’s a risky authenticator that doesn’t really prevent account takeovers, Shikiar explained.

Had Twitter announced a secondary solution, or provided users with education around viable alternatives, the shift would have been less controversial and supported Musk’s assertion that it was meant to protect user security — all while shutting down claims it was a cost-cutting effort in the face of mounting financial woes facing the company.

“But for the mainstream consumer audience, SMS OTP is better than a password alone, and it will thwart the vast majority…

Source…

Twitter Files: “Global Engagement Center” Abuses Preceded Angus King’s Blacklist

/in


Have you noticed the narrative around “disinformation” changing recently?

In his new, self-styled outlet Racket News, Twitter Files journalist Matt Taibbi examines three, interrelated streams of activity by the U.S. government, private consultants, and social media giants from 2015 to the present that – taken jointly – paint a troubling picture of efforts to “de-platform” voices it smeared at suspicious.

This analysis provides a new context in which to consider Sen. Angus King’s campaign reaching out to Twitter in 2018 to provide an “enemies list” of hundreds of “suspicious” accounts, many of which were Mainers and supporters of King’s opponent, State Sen. Eric Brakey (R-Androscoggin), in that year’s election.

By the time King’s campaign did it, conspiring with social media firms to blacklist, de-platform, and smear political critics had become a cultural norm within the Washington-Palo Alto circuit.

In his reporting Thursday, Taibbi looked at the Global Engagement Center (GEC), an internal sub-agency within the State Department created under the Obama administration. The U.S. developed the GEC as a tool for better monitoring what the rest of the world says about us and correcting misperceptions. But what began as Uncle Sam’s PR firm morphed into an information weapon used by the political establishment against its enemies.

Following the election of Donald Trump in 2016, GEC’s focus shifted from Islamic extremism to “fighting disinformation.” A new breed of “disinformation warriors” was born – young people with minimal world experience who were somehow able to make calls about what was probable Russian interference, or – once that chestnut had been played for well more than it was worth – domestic extremists.

There were, for example, GEC-funded activities The Maine Wire reported on last month that commingled financing with left-wing billionaire philanthropist George Soros’ Open Society Institute to create a “Disinformation Index” that included a number of prominent conservative news sites in the U.S.

Taibbi’s report shows how a diverse array of interests…

Source…