It happened to Mark Zuckerberg. It happened to Sundar Pichai. It happened to Travis Kalanick. And it could happen to you, too.
Want to know how secure your Twitter account is? Here's an easy way to find out. Head to the Twitter applications settings page. There, you can see a full list of the third-party applications that have "write" access to your account: Apps that let you post to Twitter without being on Twitter dot com. A sliver of mine looks like this:
The point of giving third-party apps write access to your Twitter account is to make it easy to tweet about the stuff you do on these apps: For example, tweeting that you're listening to Justin Bieber on Spotify, or that you posted a picture of your dog on Instagram, or that you unfollowed 1,000 people in the previous week. It's supposed to make Twitter faster, more dynamic, and more open.
Over the past several weeks, however, a three-person hacking team called OurMine has made clear that years after the problem first came to light, third-party authentication is still a security nightmare for Twitter. By gaining access to apps with third-party write access, OurMine has been able to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick. Thankfully — depending on your perspective — OurMine appears to be using these platforms to promote their fledgling security business. But it's very easy to imagine mischief of a much higher order: What would a tweet from Mark Zuckerberg's Twitter account that read "Due to illness, I'm stepping down as Facebook CEO" do to the company's stock price? To the stock market?
In other words, whichever write-authorized app connected to your Twitter is least secure — whether its a billion-dollar behemoth like Instagram or "Get It LIVE! by LiveMixtapes.com," which I apparently authorized at some point in 2011 so I could download a mixtape — is exactly how secure your Twitter account is.
True, these hacks usually don't give the hacker access to DMs or Twitter settings. But in 2016, when everyone from news organizations to financial firms use Twitter to make and announce important decisions, hijacked posting privileges are a big deal. And if it can happen to three of the most powerful people in tech, it can happen to anyone.
The scope of the problem is enormous. OurMine told BuzzFeed News that the apps it hacked to gain access to Twitter accounts ranged from the question-and-answer site Quora, to the URL shortener Bitly, to the social media manager Sprout Social. Though Twitter would not provide BuzzFeed News with the number of apps that can be authorized to write to accounts, practically any app can get this access. I have 29 apps that enable writing, and I hardly used Twitter before 2013. Taken together, the universe of third-party apps with Twitter write access offers hackers myriad ways to mess with users' Twitter accounts. Security experts call that an "attack surface," and for Twitter, this surface is planet-sized and full of holes.
"Any time you allow one application to post to another on your behalf, you are inviting security issues," Steve Manzuik, director of security research at Duo Security, told BuzzFeed News.
That's been true for some time, and it's hardly only true for Twitter. Any platform that allows trusted access by a third party necessarily relies on the security of that party. That's great and convenient if you're using your Google information to log into a smaller website; Google is a huge company with a massive security apparatus. It's much less good if you've given a variety of quasi-defunct (Seesmic, anyone?) or small apps lacking robust security precautions access to a major platform like Twitter or Facebook.
"When you’re dealing with large systems, it is much easier to breach them going through a weak partner," said Joseph Steinberg, CEO of SecureMySocial.
Still, the public nature of Twitter, whose main point is to share information as quickly and widely as possible, has made these attacks a much bigger issue for Jack Dorsey's company than they are for Facebook. And there's very little Twitter can do to solve the problem that doesn't defeat the incentives for third-party writing privileges in the first place: Speed and functionality. Adding layers of security — like an extra login — to access Twitter through a third-party app defeats the purpose of speedy cross-platform sharing. And disabling third-party writing would anger developers and hurt engagement, a cost Twitter probably isn't willing to bear.
If Twitter has any plans to address the problem, it isn't saying. A Twitter representative referred BuzzFeed News to the service's online help center in response to a question about third-party vulnerabilities.
There aren't a lot of obvious fixes Twitter could make, short of disabling third-party writing privileges. Culling old or defunct apps from the list of write-approved third parties might help, but Quora, the app used to hack Pichai and Kalanick, is valued at $900 million. In fact, large sites and apps are likelier targets for the data breaches where hackers find the login credentials that they then use to write to Twitter. That means the main way to stay safe from attacks like the ones against Zuckerberg and Kalanick is to revoke access to all the apps that have writing privileges to your account. That's something most users will probably not take the time to do.
The fact that Twitter allows these issues to persist may limit how seriously the public takes the service. If hacks of this kind are the acceptable price of having an open and convenient platform, a Twitter account can't really be thought of as an essential component of a person or organization's web presence the way a trusted utility, like email, is. Imagine how much more alarmed the reaction would be to messages coming from a hacked Zuckerberg or Pichai or Kalanick email account.
Indeed, the Twitter defacements have become so common in recent weeks that they're starting to hardly feel like news. That might be bad news for hackers trying to get attention. But for Twitter, which has staked its business on being the first place that people come to for information, it's even worse.