Twitter Hacking Exposes More Than One Company's Vulnerability
On Wednesday the world was reminded just how precarious and fragile our modern centralized web has become when a Twitter security breach allowed attackers to gain control of a number of high-profile accounts, including those of Barack Obama and Joe Biden, and tweet under their names. As government leaders worldwide increasingly announce official policies on the platform and the public uses it as a de facto news aggregator, the recent episode offers lessons about the dangers of trusting one company with so much responsibility.
The web was originally built as a decentralized network in which no single country or company controlled any measurable portion. This design ensured that while countries like China could censor speech within their own borders, they could do little to suppress ideas beyond them. As social media platforms have become the new web hubs, they have centralized global communication within their digital walls, establishing a single set of rules for the entire world and in the process creating a single target for the world’s hackers.
While Twitter has released few details about Wednesday’s attack, it has acknowledged that “a coordinated social engineering attack … successfully targeted some of our employees with access to internal systems and tools,” which allowed the hackers to take control of accounts. In addition, the company is “looking into what other malicious activity they may have conducted or information they may have accessed.” Thus far Twitter has not ruled out that private direct messages may have been accessed, including those of Obama and Biden, which could be released ahead of the election -- as was done with John Podesta’s emails in 2016.
The centralized nature of Twitter means that by compromising its internal systems, hackers could tweet as almost any public figure, company, news outlet or even government in the world, given Twitter’s role as global publisher. While tweeting as Elon Musk or Apple could have negative impacts on their respective brands, Twitter’s centralization of journalism and governmental publishing means the company’s systems could in theory be used to start an actual war or throw an election into chaos.
Imagine if the attackers had tweeted a declaration of war against Iran from President Trump’s account, while tweeting supposedly official statements by various U.S. military and civilian leaders announcing imminent military strikes? Or a tweet taking credit for the recent explosions in Iran and daring the regime to retaliate against the U.S.? Timed at the right moment, it is conceivable that one could start a destructive chain reaction. As conservative personality Mike Cernovich put it so succinctly, “Twitter admins have the power to post on behalf of world leaders. One employee could start WWIII with a tweet.”
Most of the world’s major news outlets and their journalists have Twitter accounts, meaning that hacking the platform offers the ability to publish under the byline of any news source. When the Associated Press’ Twitter account was compromised in 2013 and used to tweet that an explosion at the White House had injured President Obama, other news operations were able to debunk the story within minutes using their own Twitter accounts. By taking over Twitter itself, however, an attacker would control all of those accounts, allowing the hacker to tweet a story from multiple news sources and “verify” it by tweeting supporting statements from other outlets.
What if instead of soliciting bitcoin “investments” in July, a coordinated attack were to spread a massive fake expose about Biden or President Trump on Election Day? With the Twitter accounts of major news outlets all publishing a regular stream of supposed updates on the expose, and the accounts of elected officials and pundits and journalists all commenting on the fraudulent updates, the election’s legitimacy would be thrown into doubt. Had an attack of this sort happened a few weeks ago, at the height of the George Floyd protests, one can only imagine what havoc it might have wrought.
As Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, put it, “We are lucky that, given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people.”
Yet amid the potential chaos of bogus tweets, a second story emerged that reminds us just how little we know about Twitter’s moderation systems. Screenshots emerged purporting to show Twitter’s internal systems, which indicated that users could be placed on a “Trends Blacklist” or “Search Blacklist.” While the company has yet to confirm the authenticity of the images, it suspended users for sharing them. Twitter’s Vice President of Global Communications Brandon Borrman further confirmed late Wednesday night that the company does maintain search and trends blacklists, claiming that the company has “always been clear that not all Tweets or accounts can appear in Trends or search.”
The company has long denied that it engages in such “shadow banning,” which it defines as “deliberately making someone’s content undiscoverable to everyone except the person who posted it, unbeknownst to the original poster.” When select user accounts disappeared from searches in 2018 due to a technical error, the company explicitly denied the existence of blacklists, though it has always acknowledged that it “filters searches for quality” and “may prevent certain content from trending.”
That it took Twitter being hacked and internal screenshots being leaked to verify the existence of such blacklists reinforces just how little visibility we have into how social platforms work. How many users are on these blacklists and what are the circumstances under which they were added? We simply have no idea. Until Wednesday night we didn’t even have proof these lists existed.
If the only users added to them are those sharing illegal content, harassing, stalking or doxing users or publishing threats of violence, then perhaps there is little to worry about. At the same time, it would seem that if these were the main reasons a user is blacklisted then the company would not have kept the practice under wraps and would have simply banned the users from its platform rather than placing them on secret blacklists. Unfortunately, concerns over the growing power of private companies over public speech are typically dismissed by the media as a “tempest in a teapot” or simply “Trump supporter conspiracies” about “bare minimum, common sense moderation tools.”
For his part, Twitter founder Jack Dorsey offered only that it was a “tough day for us at Twitter” and that “we all feel terrible this happened.” The vulnerabilities to democracy exposed through this week’s breach go beyond a “tough day” for one company, however. They remind us just how dangerous it is for a single private entity to now act as publisher for the world's governments and media outlets. Twitter doesn’t just censor the president, it quite literally speaks for him. While we might have escaped this time with a few stolen bitcoins, if we do not change the status quo, the next time the casualty may be democracy itself.