After Twitter Hack, Senator Asks Why DMs Aren't Encrypted

After hackers managed to take over a wave of high profile accounts on Twitter by leveraging access to an internal tool, Senator Ron Wyden is highlighting that the social network has not implemented end-to-encryption for direct messages, even though the company previously explored the idea. "In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter's CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company's systems, and hackers who gain unauthorized access," Wyden said in a statement.

READ ALSO:
Twitter ‘took over’ a user’s account and joked about reading their DMs

Do you work at Twitter? Do you know anything else about these account hijackings, or insider data abuse at other companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected]

As Motherboard reported on Wednesday, an internal tool for Twitter workers was behind the spike of account hijackings. The tool allowed users to change the email address linked to an account; hackers could then request a password reset through the newly linked email and access accounts that way. End-to-end encryption is encryption where the content of a message is encrypted on a user's device so only the intended recipient can read it, meaning third parties intercepting the communications typically wouldn't be able to decipher the messages. It depends how the encryption would be implemented. Would Twitter encrypt the message on a device it believes only an authorized user is accessing? Generally speaking, though, the move would provide Twitter users with more privacy over their communications.

READ ALSO:
In an unprecedented move, Twitter gave a state university access to a student’s parody account after it complained that he was mocking the school

Tech

Hackers Convinced Twitter Employee to Help Them Hijack Accounts

Eva Galperin, director of cybersecurity at activist group the Electronic Frontier Foundation (EFF), tweeted on Wednesday, "Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years." Galperin told Motherboard, "We asked for encrypted DMs as part of our Fix It Already campaign in 2018. They did not fix it." "While it still isn't clear if the hackers behind yesterday's incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users' DMs, this breach could have a breathtaking impact, for years to come," Wyden added.

READ ALSO:
Snapchat Employees Abused Data Access to Spy on Users
Although Snap said it has several tools that the company uses to help with customer reports, comply with laws, and to enforce the network's terms and policies, employees have used data access processes for illegitimate reasons to spy on users, according to two former employees.

Twitter did not immediately respond to a request for comment.

Update: This piece has been updated to include more comment from Galperin.

Subscribe to our cybersecurity podcast, CYBER.

After Twitter Hack, Senator Asks Why DMs Aren't Encrypted

Hackers Convinced Twitter Employee to Help Them Hijack Accounts

Snapchat Employees Used Internal Tools to Spy on Users

Twitter is Testing End-to-End Encrypted Direct Messages

How Twitter Misused Personal Phone Numbers for Advertising

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support