For the last 24 hours, the Twitter landscape has seen several official accounts hacked. The same Tweet was posted thousand times. It was about the political conflict between Turkey and Holland:
Many other accounts were affected (like the one of the EU Commission). Usually, Twitter accounts are hijacked simply due to weak credentials used to manage them and the lack of controls like 2FA. But this time, it was different. What do all those accounts have in common? They used a 3rd party service called Twitter CounterÂ [Note: the Twitter Counter web site is currently “under maintenance”]. This service, amongstÂ hundreds of others, offers nice features on top of Twitter to offer a better visibility of your account. To achieve this, services request access to your account. Access levels can be multiple from reading your timeline, seeing who you follow, posting Tweets, up to changing your settings. More info is providedÂ hereÂ by Twitter. For me, Â those services could be considered as plugins for modern CMS. They provide nice features but can also increase the attack surface. That’s exactly the scenario seen today.
How to protect against this kind of attack? First, do not link your Twitter account to untrusted or suspicious applications. And, exactly like mobile apps, do not grant access to everything! Least privileges must be applied. Why allow a statistics service to change your settings if a read-only access to your timeline is sufficient?
Finally, the best advice is to visit the following link at regular interval: https://twitter.com/settings/applications. During your first visit, you could be surprised to find so many applications linked to your account! Here is a small example:
Ideally, this list must be reviewed at regular interval and revoke access to applications that you don’t use anymore, to apps that you don’t remind why you granted some permissions or any other suspicious app! Tip: Create a reminder to perform this task every x months.
Oh, don’t forget that the same applies to other social networks too, like Facebook.