cua cà mau cua tươi sống cua cà mau bao nhiêu 1kg giá cua hôm nay giá cua cà mau hôm nay cua thịt cà mau cua biển cua biển cà mau cách luộc cua cà mau cua gạch cua gạch cà mau vựa cua cà mau lẩu cua cà mau giá cua thịt cà mau hôm nay giá cua gạch cà mau giá cua gạch cách hấp cua cà mau cua cốm cà mau cua hấp mua cua cà mau cua ca mau ban cua ca mau cua cà mau giá rẻ cua biển tươi cuaganic cua cua thịt cà mau cua gạch cà mau cua cà mau gần đây hải sản cà mau cua gạch son cua đầy gạch giá rẻ các loại cua ở việt nam các loại cua biển ở việt nam cua ngon cua giá rẻ cua gia re crab farming crab farming cua cà mau cua cà mau cua tươi sống cua tươi sống cua cà mau bao nhiêu 1kg giá cua hôm nay giá cua cà mau hôm nay cua thịt cà mau cua biển cua biển cà mau cách luộc cua cà mau cua gạch cua gạch cà mau vựa cua cà mau lẩu cua cà mau giá cua thịt cà mau hôm nay giá cua gạch cà mau giá cua gạch cách hấp cua cà mau cua cốm cà mau cua hấp mua cua cà mau cua ca mau ban cua ca mau cua cà mau giá rẻ cua biển tươi cuaganic cua cua thịt cà mau cua gạch cà mau cua cà mau gần đây hải sản cà mau cua gạch son cua đầy gạch giá rẻ các loại cua ở việt nam các loại cua biển ở việt nam cua ngon cua giá rẻ cua gia re crab farming crab farming cua cà mau
Skip to main content

Thanks Twitter, but here’s everything that’s wrong with your two-factor authentication set-up

twitter two step verificationAfter much ado, Twitter finally rolled out two-factor authentication. The AP hack that gave Wall Street a good scare may have been the final straw; unfortunately as much as you’d like this two-factor authentication update to keep your accounts secure and safe from hackers, there are more than a few reasons why it’s not going to solve the Twitter hacking problem.

Twitter doesn’t have the best track record when it comes to security, nor has Twitter proven to its users that security is top-priority (because it’s not). And unfortunately Twitter’s implementation of two-factor authentication is a joke – and it’s not the only security problem the network has.

Recommended Videos

SMS-to-browser system leaves loopholes for hackers

It’s great that Twitter is finally recognizing and admitting (in its own way) that its platform is vulnerable, but don’t believe for one second that your account is safe. Twitter is still just as easy to hack as it was before, and there really aren’t any significant hurdles that these hackers need to jump over even with two-factor authentication.

If you’re in disbelief, let me tell you that the Syrian Electronic Army isn’t impressed. “We expected more than that :),” SEA’s leader The Shadow says via email. So expect continued Twitter hijackings even with Twitter’s two-factor authentication.

Why? Well the social network decided to go with a SMS-to-browser two-factor authentication system, which is still easy to hack with man-in-the-middle attacks. In fact this doesn’t even necessitate any major tweaks to existing hacking strategies.

So for an organization that first and foremost employs phishing attacks to gain access to accounts, is the Syrian Electronic Army sweating? Nope.

How to (easily) bypass Twitter’s two-factor authentication

A phishing attack starts off with a malicious email that looks exactly like what you might receive from Twitter. The email might inform you that your Twitter account has been compromised and ask you to reset your password, and many if not most unwitting users will click through to the link embedded in that email. Now two things can happen here: First you may have opened yourself up to downloading a malicious file like a Trojan virus. The second is a man-in-the-middle attack where you might encounter a site that looks exactly like Twitter.com. The catch is that this site is asking you to reconfirm your account information including your user name and password. Then if you click “Submit,” you’ve just handed the “hackers” the keys to your account.

So how can anyone hack Twitter with two-factor authentication in play? The account info you’ve just entered will automatically be entered into the real Twitter.com by the hacker. And seeing as how you’ve had your account info entered into Twitter.com for you, Twitter’s two-factor authentication will ping the victim with the SMS and temporary password as expected, Toopher (a two-factor security service) CEO Josh Alexander explains.

At that point, since you’ve received an SMS from Twitter, you’re probably under the assumption that the account recovery process seems legit and would continue to enter in that temp password into the fake Twitter site. Of course once that’s done you’ve lost complete control of your account. “It looks like a lot like the real Twitter site,” Alexander says of the fake recovery site. “Now when you log in there, it transmits your credentials to the hacker. The hacker takes those credentials, they input them into the real Twitter site, and Twitter’s new technology will allow them to push a SMS to you with their one-time pin. The two-factor authentication then instructs you to enter that into the Twitter site to confirm. When you do that, you’re doing that at the fake Twitter site, and the hacker passes that pin to the real Twitter site. By that time, the hacker has full access to your account.”

There’s more than one way to hack Twitter

SMS spoofing

Now to make matters worse, if skilled hackers feel like they’re in the mood to troll some users, Alexander adds that there are ways to intercept SMS or even block the message. That strategy is far harder, as there are time constraints and physical distance constraints. It’s admittedly not something Twitter would need to be concerned about considering the difficulty.

What’s far more dangerous is finding out that your phone number is no longer associated with your account. F-Secure detailed an alternative methodology called SMS spoofing that it tested and confirmed was able to deactivate two-factor authentication by SMS spoofing the word “STOP.” But to successfully accomplish this, a hacker will have to know your phone number.

With two-factor authentication out of the way, a hacker can use a phishing attack as we described earlier to gain access without concerns about two-factor authentication.

Malicious input validations

If the hacker feels bold enough, they can attempt an attack directly at Twitter.com using unchecked input validation – hackers input malicious code into the target site and cause the site to spit out information, senior VP at software quality analysis firm CAST Lev Lesokhin says, which include attacks like cross-side scripting, buffer overflow, and SQL Injections.

In the years that Lesokhin has been analyzing structural issues in the source code of website and applications for CAST from a security, stability, and performance standpoint, and he says that of the 500,000 lines of code that these sites or software have on average, CAST discovers between 100-150 major exploitable issues.

“Most folks in the security community know that performance issues and stability issues are the same kind of issues that allow hackers to get in,” says Lesokhin. For instance a DDoS is one way to overload servers with too many users and too many queries that the overwhelmed server starts spitting out error messages. And from this information, hackers can map out a point of entry.

Two-factor authentication is a hassle

While Twitter wouldn’t let us know how many users have added two-factor authentication, we’d guess that a higher percentage of users have ignored the option. You can’t blame them – typing a temporary code with every login is really a hassle.

“It really destroys the user experience now that you have to pull out your phone every single time you want to log in; you have to manually transcribe this code from your phone to the browser. You still have the same vulnerability to a man-in-the-middle attack as you did, now granted Twitter added an extra step, but it doesn’t make it any more difficult for the hacker to actually violate you,” says Alexander.

As for brands with multiple people managing one account, well you’re going to be hard pressed to find these users adopting this security measure – that is unless they’re potential or previous victims. The brands and publishers who are aptly using Twitter are largely doing so to get news out – and they want to do so in a timely, real-time, fast manner. The code eliminates that altogether. 

There are more secure alternatives out there

The SMS channel isn’t the core issue. It’s the fact that Twitter requires users to input the code into the browser, which can easily be undermined by MitM (Man-in-the-middle) and MitB (Man-in-the-browser) attacks. So it actually won’t take all that much to make Twitter a lot more secure.

For instance, Twitter could just ask its users to verify their account by replying to an SMS. That would remove any chances of falling victim to a MitM.

Or, if you’re really concerned about verifying your account via the SMS channel (since Man-in-the-mobile attacks are getting more popular), Toopher’s security service offers a push notification and location based authentication. To authenticate your access attempt you’d just reply to the push notification within your phone. And you only need to authenticate an account once. Toopher grants its users access to certain websites depending on your location. All you need is your phone in your pocket (turned on) and that means there’s no need to pull out your phone again if you’ve set up Toopher to enable Twitter access whenever you’re at your office or home.

We’re not saying that this is fool-proof – it’s not. But it’s far better than what Twitter put together.

Even simpler solutions would be the notifications you’d get sent via email alerting you of the browser and locations you’ve signed into Twitter from – a strategy that Facebook uses – or even prompting you via SMS to check and confirm the location and IP address that you’ve signed in from.

It’s not perfect, but it’s a start

Lesokhin says that not every site will be up to date with the latest security standards. Different companies reach goals at different paces. What these sites can do in the mean time is to make the job a lot harder for hackers and patch up any issues. Alexander and Lesokhin would agree that Twitter’s two-factor authentication system is the right start in the social network’s bid to become more secure.

But Twitter isn’t just motivated to figure out its security issues based on recent attacks. Twitter has the Federal Trade Commission to answer for. The FTC finalized Twitter’s settlement for Twitter’s “failure to safeguard personal information” in the wake of high-profile attacks in 2009 that included President Barack Obama’s account being compromised, among eight other accounts.

Coming out of that settlement, starting in 2011 Twitter became subject to a security audit every other year for 10 years.

To Twitter’s credit, whether or not the social network was “inspired” by the FTC, it announced the introduction of DMARC (Domain-based Message Authentication) in February of this year to curb phishing and man-in-the-middle attacks. DMARC recognizes fishy domain names that might replicate Twitter’s site and prevents these phishing emails from reaching the intended victims. Email clients including AOL, Gmail, Outlook, and Yahoo! Mail are participating in the program.

Not only this, but Computer Weekly reports that Twitter is using open source automated security tools to detect issues in the code that its engineers are writing. “The last bug is the best predicator of the next bug, so we wanted to understand why something happened to ensure it would not happen again, which is where automation is useful,” said Alex Smolen Twitter product security team software engineer at the Security Development Conference 2013.

While Twitter is the one currently on the hot seat, security isn’t only a problem for its platform. Facebook, Google, LinkedIn, among other companies employ two-factor authentication systems that can be exploited with varying degrees of difficulty alongside other weaknesses. Still, Twitter is one of the most insecure sites right now, and you shouldn’t feel totally impenetrable because of the two-factor authentication update.

Francis Bea
Former Digital Trends Contributor
Francis got his first taste of the tech industry in a failed attempt at a startup during his time as a student at the…
I paid Meta to ‘verify’ me — here’s what actually happened
An Instagram profile on an iPhone.

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.

Read more
Here’s how to delete your YouTube account on any device
How to delete your YouTube account

Wanting to get out of the YouTube business? If you want to delete your YouTube account, all you need to do is go to your YouTube Studio page, go to the Advanced Settings, and follow the section that will guide you to permanently delete your account. If you need help with these steps, or want to do so on a platform that isn't your computer, you can follow the steps below.

Note that the following steps will delete your YouTube channel, not your associated Google account.

Read more
How to download Instagram photos for free
Instagram app running on the Samsung Galaxy Z Flip 5.

Instagram is amazing, and many of us use it as a record of our lives — uploading the best bits of our trips, adventures, and notable moments. But sometimes you can lose the original files of those moments, leaving the Instagram copy as the only available one . While you may be happy to leave it up there, it's a lot more convenient to have another version of it downloaded onto your phone or computer. While downloading directly from Instagram can be tricky, there are ways around it. Here are a few easy ways to download Instagram photos.

Read more