Entries (RSS)  |  Comments (RSS)

Twitter Digits

Twitter’s newest service, Digits, offers a glimpse into a world of “growth at any cost.” Or, as it is put forth on the developer site, “Growth, Simplified.”

Their insecure attempt to eliminate the password, moving to SMS as a primary, single-factor authentication endangers users of the Twitter application and all future developers (and their users) who integrate against Digits.

No longer is security dependent on something you know (like a strong password sent over SSL), and possibly something you have like a two factor token, but access now depends entirely of the security of the carrier’s network, and the user’s security is in turn dependent on their government’s ability to introspect GSM traffic as it is sent across the wire.

Such man in the middle attacks are not uncommon. As reported in The Guardian, The NSA collects millions of text messages, daily. Should the user become a target of NSA monitoring, all it takes is for them to enter your phone number into a Digits login screen to gain access to your account.

Abroad, the security community has seen attempts at SMS introspection and monitoring by the likes of Egypt Telecom, Syria Telecom, and others.

US Protesters are also at risk thanks to IMSI catchers like the Stingray device, a product which offers the capture of user details and text messages for local law enforcement. When law enforcement wants access to your account, they could go directly to your carrier instead of fighting with Twitter’s (usually strong) efforts to protect the security of your account.

You can watch this Black Hat video here, describing a similar and entirely possible attack against users that use Femtocells.

This change of heart is in strong contrast to prior efforts at Twitter to shift to a strong security model reliant on custom, public-key authentication and only using SMS codes as a fall back for login (when permitted with a previously known password, passed over SSL/TLS.)

This is a common mistake by companies. To shift from strong security models to “growth at all costs”. It’s a flawed reasoning, that the true problems with growth is the strength of their security, and not issues with their product, marketing, or otherwise.

I urge developers to not support the Digits product until a stronger security model can be released publicly.

Full disclosure: I am still a stockholder in Twitter but no longer an employee there.

Update: I’ve had a few discussions with people at Twitter who say this probably will not be used for anything other than 3rd party apps. It’s still a slippery slope to put forth something supported on 1FA and I wouldn’t have done it if I were still there.

Duncan and I get into a bit more detail on this Medium Post, “One Identifier isn’t Enough”.

This entry was posted on Wednesday, October 22nd, 2014 at 11:01 pm and is filed under security, twitter. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


2 Responses to “Twitter Digits”

  1. 1 Pedantic

    “No longer is security dependent on something you KNOW (like a strong password sent over SSL), and possibly something you HAVE like a two factor token…”

  2. 2 John Adams

    I typed that blog post quite too quickly and made some basic mistakes. I blame my anger at the situation. Fixing.


Leave a Reply