Senator Ron Wyden has today pointed out that Twitter is yet to implement end-to-end encryption for direct messages (DMs). His comments come a day after high profile accounts were hacked through an internal tool.
“In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter’s CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages…It’s been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access,” said Sen. Wyden in a statement.
On Wednesday, multiple high-profile accounts, including those of Bill Gates, Elon Musk, Joe Biden, Barack Obama, Apple, and Uber, were hacked. The hackers who took over the accounts tweeted cryptocurrencies scams.
According to security researcher Brian Krebs, an employee granted the attackers access to an internal tool used by Twitter employees. Armed with the internal tool, the hackers changed the email address associated with an account, request a password change (which was sent to the newly-linked email), and gain access to the accounts.
Electronic Frontier Foundation, a digital privacy activist group, has also been on Twitter’s case regarding end-to-end encryption for DMs. “When you send a direct message on Twitter, there are three parties who can read that message: you, the user you sent it to, and Twitter itself. One of those is obviously unnecessary. Twitter could fix this by making its DMs use end-to-end encryption,” they said.
End-to-end encryption technology ensures that only the intended recipient reads a message by encrypting a message to a user’s device. Ideally, a third party should not be able to decipher the messages.
Dedicated messenger apps such as WhatsApp and Telegram use end-to-end encryption. The implementation on these apps is more straightforward than is the case with social media platforms. A possible scenario would be for Twitter to encrypt the messages to a device they believe to be accessed by the user only. Whichever way they implement end-to-end encryption, the bottom line is it would ensure that attacks do not compromise DMs.
The hackers behind the attack on Wednesday may or may not have accessed DMs. But, if they did, this might not be the last time we write about this attack.
“While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come,” Sen. Wyden explained.