Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack

Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack

A number of high profile Twitter accounts including those of Elon Musk, Apple, Uber, Bill Gates, Joe Biden and others were compromised as a part of a coordinated bitcoin scam attack. The attack lasted a few hours and netted the attackers about $100,000 worth of bitcoin. We talk about how this attack could have possibly happened and lessons for businesses with remote workers accessing company systems.

We also talk about a vulnerability our Threat Intelligence team discovered in the All in One SEO Pack plugin used by over 2 million WordPress sites. This vulnerability could be used by a malicious contributor account to take over a WordPress site.

We also discuss SigRed: A 17-year-old ‘wormable’ vulnerability that could be used to hijack Windows servers, a vulnerability that could have severe ramifications for enterprise Windows networks. This vulnerability was patched on July 14.

And we take a look at some privacy concerns with the increasingly popular TikTok app and how Apple discovered TikTok spying on iPhone users.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:25 2 Million Users Affected by Vulnerability in All in One SEO Pack
4:00 High Profile Twitter Accounts Compromised in Coordinated Attack; comprehensive timeline of events
27:29 SigRed: A 17-year-old ‘wormable’ vulnerability for hijacking Microsoft Windows Servers
30:58 Apple Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 79 Transcript

Kathy Zant:
Hi, everyone. Welcome to another episode of Think Like a Hacker, this is the podcast about WordPress security and innovation. We hope you’re having a great summer. We’ve been pretty busy here at Wordfence with a number of things, and I can’t wait to share them with you. If you are listening, you might want to head over to the blog because this has a video component today, because we have a somewhat breaking news story that we wanted to cover today. And Chloe Chamberland and Ram Gall are joining me on the podcast today to talk about one of the biggest security stories that has come out recently. And that is the hack, the widespread and coordinated attack, on a number of verified Twitter accounts that was announced yesterday and we saw the ramifications of that happening. Ram and Chloe, how are you guys doing today?

Chloe Chamberland:
I’m doing good.

Ram Gall:
I did not get hacked. So I’m doing pretty good. I mean, at least as far as I know.

Kathy:
As far as you know. Yeah, yeah. My account seems to be safe. I’m not asking anyone for any bitcoin, so things are looking good for all of us. But it looks like a number of high profile accounts did indeed have some interesting tweets posted, but we’ll get to that in a moment.

Kathy:
We have another story that is more WordPress related and I wanted to cover that quickly first, because that is some of our primary research that we’ve done here on our threat intelligence team. Chloe Chamberland, you found this vulnerability, didn’t you, in the all in one SEO pack plugin. Tell us a little bit about what you found and what happened.

Chloe:
Yeah, so I basically found the contributor+ vulnerability. So it can only be exploited for users that have contributor level access or above. And it basically allows them to inject a malicious JavaScript into the SEO title and description fields. And that JavaScript will later be executed once a victim browses to the all post page, or if they access the post directly, maybe previewing the post or just going to it directly.

Kathy:
Great. Yeah. And you did a proof of concept walkthrough of like how an attacker could possibly exploit this to basically take over an entire site, didn’t you?

Chloe:
Yes I did. So there’s all sorts of different things that you can do once you can put JavaScript on a site, but one of the most worrisome things would likely be that you can put administrator accounts on there or you can inject back doors and that basically gives hackers of back way into your site and then they can escalate all the damage from there.

Kathy:
Yeah. Interesting. So definitely check out that blog post on the Wordfence blog. And there’s a video there that shows exactly how this could be used to take over an entire site. I know a lot of publishers that are using contributors and give people contributor-level accounts. And so if they were using this and a hacker knew of this vulnerability, they could definitely take advantage of that. But it’s patched now, right? In the latest version that came out?

Chloe:
Yes. I believe it’s 3.6.2.

Kathy:
Excellent. Great. So definitely check that out and thanks for all of that work, keeping WordPress users safe, that’s a 2 million install? Over 2 million?

Chloe:
Yes, it was.

Kathy:
So a lot of people. I keep seeing that getting retweeted from our blog posts that people are definitely spreading the word. So if you know if someone who’s using All in One [SEO Pack] or actually is using contributors, definitely send them that post and let them know to update so that they can keep themselves safe.

Kathy:
Okay. And now we should probably get into this huge story where high profile Twitter accounts were compromised in this coordinated attack. This happened on July 15th. We saw evidence of it happening in the afternoon, and basically they were posting to these high profile accounts like Elon Musk, Apple, Uber, Joe Biden’s account. Who else did we see get compromised with that? There were a few other very high profile accounts.

Ram:
We had Bill Gates.

Kathy:
Bill Gates, too?

Ram:
The Apple account, like the official Apple account. Kim Kardashian was the last account to post. And I think after that point, they actually managed to shut it down.

Kathy:
Yeah. We’ve seen interesting things happen with Twitter in the past, they did delete Donald Trump’s Twitter account. An administrator said that he had violated terms of service in 2017 and that had made some big news, but that was an actual Twitter administrator making that decision to delete that account. But we’ve never seen anything like this. And it does look like this was a coordinated attack for the purpose of spreading this Bitcoin scam.

Kathy:
Twitter stock actually took a bit of a dive after this event happened. And it really underscores how important Twitter has become to not just the conversation in society in America, but worldwide. So this really could have been manipulated for a much wider effort. Ram, you took a look at a website that basically elucidated the entire timeline of what had happened and when they saw these attacks happening. What did you find out?

Ram:
So it’s actually a crypto site, which I guess they took an interest because this was a crypto scam. And the initial attacks were actually against crypto accounts. Relatively high profile crypto accounts, Angela BTC, finance, a number of other accounts that effectively are big in the cryptocurrency community. And initially it looked they were pushing a malicious domain. From what I can understand, the original Bitcoin address that they asked to send money to was listed on that domain, though it’s entirely possible that there was also some sort of other exploit running on that site. They took it down since then. So there’s not really a way to know, and I haven’t seen it mentioned, but it would be doable. And then at some point about two and a half hours or a little after two hours after they started, they started hitting other high-profile accounts, starting with Elon Musk, Uber. Yes. A lot of very famous people.

Kathy:
And Elon Musk has been kind of used by this crypto scam for quite some time. I’ve been seeing this on Twitter for a while and other social media where people are posting accounts, it’s not Elon Musk’s account, but they’re saying, “Elon Musk, he’s doing this giveaway, if you send Bitcoin to this address, he’ll double it and send it back to you.” So he’s been used quite a bit and we’ve seen with Bitcoin, you can research what is being transferred. So you can see it a Bitcoin address and see what has been transferred to that address. So you can kind of tell how successful these scams are.

Ram:
Yeah. If anyone ever asks you to send them money to a Bitcoin address, the first thing you should do is do a Google search, or your search engine of choice on that Bitcoin address. Because if it’s been used in scams and yes, bad actors do use multiple addresses, but they won’t switch them out that often. So if a Bitcoin address has been used in a scam in the past, you can do a search for that Bitcoin address and security organizations track these things. They’ll keep track of which Bitcoin addresses were used for scams. They’ll keep track of how much money was sent to them. Bitcoin is not as anonymous as a lot of people seem to think, certainly less traceable than say stock buying or selling, but you can definitely find some things about the people behind an attack by the Bitcoin addresses. In this case, for instance, even though they used a couple of different Bitcoin addresses, they noticed transactions between the Bitcoin addresses indicating that they were likely working together.

Kathy:
Gotcha. Okay. Now, does it look like an attack that… What do we think happened? What can you speculate based on the evidence that we right now? Does it look like a Twitter administrator had done this? Or what do you think? What is the evidence telling us?

Ram:
So far, there’s been a reasonable amount of conjecture, and I believe Twitter has confirmed this, that an administrative panel was used and that one or more people with access to that panel were social engineered so that attackers could somehow use that panel to make these changes. Now, what kind of panel it was, what its capabilities were, that’s up for conjecture. A lot of large companies will just have relatively low-level customer service agents the ability to send password resets, or even in some cases change the email address that password resets go to or turn off two factor authentication. So it doesn’t necessarily mean that the Twitter employees were actively in on the scam.

Ram:
As Chloe was saying, you could socially engineer people into doing all sorts of things that they might not intend to do. And if you can gain access to, let’s say a relatively low level account that still has some permissions, just like with the All-in-One SEO pack thing, you can still do some major damage. So I think that’s called the principle of least privilege.

Kathy:
Yeah. Chloe, can you explain, first of all, let’s take it back a little bit and let’s talk about what is social engineering? Because we hear that term thrown about, and maybe we should just kind of make sure everybody understands what social engineering really entails.

Chloe:
Yeah. So it’s basically exploiting the trust relationship with another human and tricking another human into doing some sort of action. So for example, I can walk into a building and I can say that I’m the handyman that I’m dressed up like a handyman and everything. And so you kind of have that trust with me that I’m a handyman.

Chloe:
And I tell you that I got called in because I need to go check on the wiring or something. And then you kind of trust me, because I have this outfit on and I look like I am who I say I am, but I’m not actually who I say I am. And give me that access and I go in, and from that point forward, I have this access that I shouldn’t have had because I’ve exploited that trust with you by presenting myself as someone I’m not.

Kathy:
Exactly. And they’re usually doing something that seems somewhat innocuous, that it seems natural.

Chloe:
Yeah, exactly. And this can happen over the internet so I could send you an email and I could spoof my email and pretend that I’m Bob your neighbor and I need your door code to get into your house, but I shouldn’t really need that or your gate code because I dropped something on the side of your fence.

Chloe:
And then I get into your gate and I go on your back door, because you left it unlocked on accident, but I can pretend to be someone I’m not, and as an attacker, hopefully exploit that trust with you.

Kathy:
Interesting. So that could have been done to a Twitter customer service agent? And… “I’m Elon Musk. I need my account reset and my two factor authentication turned off.” So they could be pretending to be him and socially engineer a customer service rep?

Chloe:
Yeah. So I did some poking around, it looks like there’s a form on Twitter where you can contact them about getting your password reset. So that’s one possible way that they could have gotten in touch with someone and kind of escalated from there. Perhaps they got the email of some higher level, higher permissioned employees at Twitter. And they sent them an email exploiting a trust relationship of some sort with maybe an attachment.

Chloe:
And maybe they clicked on that attachment and it installed malware on their computers and kind of escalated from there. But it all starts with that social engineering attempt at the beginning. And once they exploit that trust, you can kind of escalate in so many different ways. And there’s so many different ways to get that initial trust gained. Especially if not good enough, security awareness training.

Kathy:
Got you. Okay. So security awareness. Ram, with the timeline that you saw, were there pauses between where these things were being posted to these accounts?

Ram:
Yes, actually there was a relatively long pause between the absolute first post and the next one after that. And then they all seemed to happen in rapid succession, which makes me think that maybe they had to establish some sort of proof of concept. And once they had established the proof of concept, they sort of had to decide on the strategy. It seemed like they were in kind of a hurry. It’s been mentioned that a vulnerability of this magnitude, [what] it would have been worth … so effectively, the attackers apparently made somewhere around a hundred thousand dollars off of this scam. Actual value of an exploit of this magnitude is worth millions on the black market. So it seems like they might’ve been in a hurry to monetize as quickly as possible before they were caught.

Kathy:
Got you. What they were doing was going to get figured out pretty quickly.

Ram:
Yeah.

Kathy:
Okay. All right. Interesting. I was going to ask about least privilege, and how would that protect against something like this, but go ahead and make your point.

Ram:
Oh no, I was just going to say that yes, least privilege could have possibly prevented this in some cases, but it might not have been enough. Because if the people targeted were people whose actual job was to help people reset their passwords and an attacker actually compromised their computer, then they could probably take remote control actions on that computer and use that access to make account changes just like Chloe was saying.

Kathy:
Okay. Yeah. And Chloe, what is the least privilege? Because you just wrote about that this morning with the All in One SEO plugin.

Chloe:
Yeah. So the principle of least privilege is basically giving users the least amount of privileges they need to do their job. So if a Twitter administrator needed to reset passwords, for example, they should be able to reset passwords, but maybe not also disable two factor authentication. So if we’re talking about this example and let’s say that the user that was compromised had access to, let’s say Twitter’s database and passwords. They shouldn’t have this access, but let’s say in a scenario they did. Perhaps they have the ability to reset passwords, they have the ability to access the passwords. But in reality, all these really should be able to do is reset those passwords. So that principle of least privileges is making sure that they only have the privilege to reset the password, but not the privilege to access those passwords in a database directly. Does that kind of make sense?

Kathy:
Yeah. That makes sense. Definitely.

Ram:
Kind of like when you get a refund at the store, they have to have a manager type in the code to approve it.

Chloe:
Yeah, exactly.

Kathy:
Interesting. Okay. Yeah. So it sounds like something happened. And everybody is working at home now, right? So everybody with this whole COVID thing going on, we’re all kind of being forced into really learning how to work as a remote team. So you may have somebody who’s a customer service rep for Twitter, who has access to a system and they are working from home on a computer that they own, and their personal email may have access there and they might get phished from their personal, it might not even be a Twitter email account that gets phished, it might be their own personal account. But because you’re intermingling those personal computers with your work functionality, you are running sort of a risk, aren’t you there?

Chloe:
Oh yeah, for sure.

Kathy:
So what would you advise … so let’s say someone who is watching this is running a company and they have distributed team that six months ago, it wasn’t a distributed team, but they’re forced into being a distributed team and, “Oh, just use your personal computer and just log in. Here’s how you log in.”

Kathy:
What advice would you give a CEO or a CTO or even an operations person, who’s got a team now that they’re managing that’s using personal devices, like their phones or personal computers? What advice would you give?

Chloe:
Yeah, so one thing I can think of right off the bat is make sure an antivirus software is installed. If you get targeted by a phishing attempt and you click on something, because you accidentally did it, you accidentally trusted or whatever reason, if there’s not malware in the link or whatever, that antivirus can help protect you against it, and maybe block the download from happening. You should make sure that if you’re having people on their personal devices and on the work, I would recommend maybe installing a virtual machine onto your computer directly so that maybe you can do your work stuff on your virtual machine. Whereas you log out of that virtual machine and whatever, when you’re done with the work day and then continue on doing stuff on your personal computer. There are ways to escape a VM, but it’s more sound and secure than it would be to intermingle both your work and personal lives on a device.

Kathy:
Is there security training that you can do for employees?

Chloe:
Yeah, for sure, you should definitely be doing security awareness. Especially transitioning from this being in an office to working at home environment. You should go through that training again if you’ve already done it or just start doing it at least now. Where we work, we do security awareness training and our Director of Information security actually tests us and recently, we all passed. So after repeated attempts, every now and then someone might click on the link or whatever. But as we keep learning about these phishing campaigns and how they happen, eventually we got to a point where nobody clicks on them. So awareness and training is very important to help educate users and your employees and everything to help keep you and your company assets safe.

Kathy:
Yeah. Phishing fire drills, right?

Ram:
One other thing I wanted to bring up, two other things actually, and that is to make sure that you or your employees keep their machines patched and up to date at all times. We’ll actually go into a problem that needed to be passed pretty quickly a little bit later, but a lot of exploits basically rely on unpatched vulnerabilities.

Ram:
So the chances of them getting exploited is a lot lower if you keep your machine patched. And how Chloe was saying using a virtual machine, that is ideal. But even if not all of your employees are savvy enough to do that, using a separate browser for work and personal use, even that will help. Because that way, if they’re clicking a link in the browser they use for personal use, it won’t open that link in the browser that has an open session maybe where you’re logged into a sensitive control panel area. Because a lot of those dangers happen because you’ll be logged into something sensitive in a certain browser. So if you do anything risky in a separate browser, you’re less likely to have cross contamination, basically.

Kathy:
Good point. Is phishing considered social engineering? Does it fall under that umbrella?

Ram:
Spear phishing does.

Kathy:
Spear phishing, yeah.

Kathy:
Define spear phishing.

Ram:
Chloe, you can take this one or I can, but it’s effectively a targeted phishing campaign, where you do some research about the person you’re targeting, find out who their boss is, so that you can maybe pretend to be their boss and send them an email. Find out what kind of documents their boss might ask for and send an email asking for, “Hey, I need this kind of document that your boss always asks for.”

Kathy:
So like phishing in general would just be the misspelling of Bank of America, and you’re getting an email that looks kind of like Bank of America, but there’s some fairly obvious things that are wrong there. Whereas a spear phishing attack is very, very targeted. They know things about you or your company or your boss or your coworkers that will sort of lull you into that sense of it being just a normal routine, everyday thing, and clicking on a link that does a very bad thing.

Ram:
Exactly.

Kathy:
Okay. I started on Twitter in like 2006, and I think, some friends dragged me on there, hey, look at this new way to chat. It was not what it is today, but it has really evolved into something that is the go-to place for people to find out news about what’s going on in the world. A go-to place to find out what a particular political person might be saying about, what direction your country might be going in. It is the place where people go to find out what their friends are up to. But it’s really the keys to understanding our world are really in the hands of a few social media companies. And when something like this … I mean, it’s kind of ridiculous almost that this was a Bitcoin scam.

Ram:
Yeah.

Kathy:
I mean, if somebody had this kind of access to Twitter, they could do something like … I think we were joking earlier about pretending that logging into some political persons account in the United States. Senators saying that we are declaring war on North Korea tomorrow at noon. And then having that be sort of like a North Korean hacker coming in and posting that. Hacking into one of these senators accounts and then using that as a pretense for some kind of physical war-like action, or banning the whole world from Pyongyang. Right? So-

Ram:
I think they already are, but.

Kathy:
We already are. But I mean, this has a lot of implications, not just to world politics, but the safety of our physical world as a whole, because of how popular opinion or beliefs of what people think to be true can be manipulated in this way.

Ram:
Misinformation is a bad enough when it’s coming from John with nine numbers after their name. And it’s probably a bot. It’s much worse when it comes from someone with a trusted brand, especially like this targeted verified users. So there was already a degree of trust that this person is who they say they are, these are their real opinions. This is for real. And it could have been much worse.

Kathy:
It could have been. Yeah, we saw it was $100,000 in Bitcoin that actually changed hands. Was that the number we saw?

Ram:
A little bit more than that, maybe like 110, I don’t know what the final count was, but it was relatively a meager amount of money.

Kathy:
Considering what could have happened.

Ram:
It was probably less than many of the people who have access to those admin panels at Twitter make.

Kathy:
Probably, yeah. So there’s been some speculation that someone had actually paid a Twitter employee for this access. What do you think about that speculation?

Ram:
I think it’d be way too easy for them to get caught, for one thing. And also the amount of gain for that type of thing. I feel like anyone who’d actually planned for it, it seemed like they didn’t expect it to work. And I feel like if they actually had an inside source that they were bribing, they would have been more certain that it would work and they would have used it for something bigger.

Kathy:
Interesting. Interesting. Yeah. I think that’s an interesting observation that it doesn’t look like they thought it would work. So it’s like, “Okay, well how do we make money with this guys?”

Ram:
Yeah. What’s the fastest way we can get away with this before we get caught or before we get shut down.

Kathy:
Interesting. Well, we’re speculating a lot. Is there any other like data that kind of points in a certain way that we haven’t talked about? Because I mean, eventually we’re going to figure out. The news is going to come out. There’s usually always a post mortem with something of this nature, like the Twitter or not Twitter, but Target hack that happened in 2013, where they found out that HVAC heating and air conditioning laptop had gotten compromised. And after 19 days of having access to that, they eventually pivoted into the point of sale, cash registers at like over 800 Targets across the country.

Kathy:
And that was like obviously a huge monumental deal. But we didn’t find out that day what had happened. It took quite some time. So we’re going to probably have a post mortem and a hack of this nature, news will come out of what actually happened eventually. But right now it’s kind of like, we’re seeing some signs of what could have happened, but I guess we’ll have to wait and see, huh?

Ram:
That we will.

Kathy:
Yeah. But now you told me Ram, that there was a story bigger than Twitter.

Ram:
It’s probably not bigger than Twitter for like most of the people and the rest of the world, but I feel like for those of us in InfoSec, it is in a way bigger. It’s the SIGRed exploit, it’s effectively, it got a 10 CVSS score and it’s in issues in the Windows DNS server.

Kathy:
Interesting. This looks like a 17-year-old vulnerability that’s being used, and they think it might actually be used in the wild.

Ram:
Well, they did say that it’s wormable and there is some speculation that it may already have been used at least by Checkpoint. At least if I’m reading their disclosure correctly, but the long and the short of it is that all right, DNS system, domain name system, basically boils down to you ask a server, “Hey, I want to know where this domain name is. Can you give me its IP address?” And you can ask any computer running a DNS server that, and it’ll find out for you eventually.

Ram:
So basically the exploit was, if you, as an attacker control an evil domain that returns a specific maliciously crafted record, you can ask one of these Windows DNS servers. Hey, can you look up my evil domain for me and tell me what it says and where it’s hosted. And if you craft the request just right, you can take over the computer that’s posting that DNS server, the Windows computer. Then since, it’s effectively a high level process. It gives the attacker access to what’s called the domain controller or domain administrator. And at that point, the attacker would then have access to the entire corporate network connected to that machine.

Kathy:
Okay. So that’s definitely on a scale of 1 to 10, is a 10, or as you said earlier, possibly an 11.

Ram:
I’d call that 11. Like, I mean, it’s still, it’s on some level, it’s a buffer overflow exploit from what I can see. It doesn’t seem easy to do. And like initially it needed to be done from inside the network, but it looks like they may have found a way to exploit it from outside the network as well, which would make it in an 11, I think. Since, it gave them domain administrator capabilities.

Kathy:
Yeah. That is pretty scary. No, this was patched on what, July 14th. So if you’re updating all of your Windows servers, you should be okay?

Ram:
Yes. It was patched on this past patch Tuesday, please update right now.

Kathy:
Okay. So if you are forced by some force of nature to use Windows servers, make sure your Windows servers are updated in order to patch this very critical 11.

Ram:
I mean, it is hyperbole. There’ve been other big Windows exploits in the past. And I feel like this is probably on a similar level as them.

Kathy:
Yeah.

Ram:
Like the EternalBlue thing, and yeah.

Kathy:
Definitely important to update. All right. We wanted to cover one final story today. And this is a personal vendetta for me because TikTok is in my house because I have a child who likes TikTok and Forbes reported earlier this week that Apple has caught TikTok secretly spying on millions of iPhone users. They were caught capturing clipboard data in the past and they claim to stop doing so. But this article on Forbes showed a video where they were actually showing TikTok accessing information as it was being typed. Ram, you saw that video, too. What did you notice about that?

Ram:
So effectively, from what I understand about iOS, when they say clipboard data, that’s not just stuff you manually copy and paste. Because of the way predictive texts works, I believe that’s literally everything you type, period.

Kathy:
Yeah.

Ram:
So.

Kathy:
Interesting. Yeah. Yeah, so that video was showing someone actually typing into a field and then a little toast was coming down.

Ram:
Yeah, they developed an app to test it.

Kathy:
Yeah. Okay. And so, and the release of the new clipboard warning in the beta version of iOS 14, that developers now have access to, it was showing that TikTok was actually accessing this. So obviously this is a privacy concern, but this is not the first time.

Ram:
What I was going to say is, yes effectively, it’s not just everything you type while you’re in TikTok, it’s everything you type while you’re in any app, which is kind of bad. And the worst part is they were caught doing something similar in the past and they said they would stop and they didn’t stop. They just changed how they did it.

Kathy:
Sneaky, but they’re not the first app to have done this, are they? They noticed-

Ram:
No. No, not at all.

Kathy:
It was LinkedIn was sued over allegation that it was secretly reading Apple users clipboard content. That was from an article that was in Reuters on July 10th, 2020. So they were actually sued for doing that so that seems to be something that … when you just have something in a browser, right? I mean I understand how internet technology works. So you have a browser and obviously you have cookies and there’s cross site tracking that’s happening in a lot of cases where people want to know about who’s visiting their sites, analytics. Google Analytics is tracking that type of information. There may be other types of things that they are using to measure heat maps on a website, things like that. But it’s kind of like within the context of what you’re doing there, but with these apps because they are on these devices they have a little more leeway. Don’t they? In terms of what they can do.

Ram:
Yes and no. If they’re actually respecting the device controls or the access controls and if you’re actually careful when you install them, it’ll show you what they ask for permission to do. And if they don’t have any sneaky workarounds. One of the things that’s most troubling about the TikTok thing is that last time they got caught capturing clipboard data it was because if you copy say a picture while using TikTok, you can then gain location access to that user’s phone. So they basically had from that point on location access for all the users, even if the users didn’t allow it.

Kathy:
Interesting.

Ram:
Another … this is not confirmed yet, but at least one person who has been reverse engineering the TikTok app has claimed to have found code that allows, at least in the Android version of TikTok, that allows them to download, unzip, and execute arbitrary code. Effectively that would be a backdoor. Now they haven’t made any claims that it’s actively in use or that it’s even functional at the moment, but that would be very problematic if it were the case.

Kathy:
Gotcha. Interesting. So Chloe, what kind of advice would you give someone who has these types of applications on their phone? Obviously you want to get rid of the applications, but I mean should people be treating their phone as securely as they’re treating their personal computer? I mean a lot of times we’re accessing the same information from our devices as we are from our computers. But we are more concerned with the security on our computers than we are on our phones. Shouldn’t we be considering them equally?

Chloe:
Yeah, for sure. And what worries me the most about TikTok is there’s a lot of these kids out there using apps like that and sometimes parents don’t know. But if you do know your kid is using these, you should definitely take those security precautions to help make sure that their data is secure and their things aren’t getting exposed. And I think it’s very important to take the same level of security on your computers and all those devices and make sure you apply that same security to your phone and those same principles. And also make sure that you’re teaching that to your kids if you can and make sure that they stay secure online as well.

Kathy:
Huge point.

Chloe:
Yes. There’s a battle of wills in my household over the usage of TikTok at the moment, so. I won’t say those details.

Kathy:
I imagine.

Chloe:
I mean, that’s their social network. For a lot of us it’s Twitter or it’s Facebook. I mean, for my current … the WordPress community is all on Twitter and am I going to give up Twitter because of these hacks happening? Probably not, but.

Ram:
You use Twitter in a browser. Don’t you?

Kathy:
I do use Twitter in a browser. How’d you guess?

Ram:
I don’t know, but I do, too. On a separate device.

Kathy:
Yeah. Yeah. And then also on your phones a lot of time people have their personal apps. I mean I personally don’t like the Facebook app because when I did use it it was battery drain crazy. But my phone I use for work more than I do anything and so I have to be really sensitive because Slack is on there, all of our conversations. So I’m really judicious about the types of apps that I’m allowing on my phone and I go through them every once in a while and say, “Okay. Do I really need this? When was the last time I even [used this]?” I had the great idea that I was going to do intermittent fasting with this Zero app.

Ram:
I’ve used that one. I have totally used that one.

Kathy:
It’s pretty cool. Very simple, easy to use. But I’m not using it so do I need to keep it on my phone? Should I delete it?

Ram:
Yeah. And I mean they mentioned with LinkedIn got caught doing it, too. So it’s not just TikTok that’s doing it. They might be one of the worst offenders, but the amount of data they collect is not actually that unusual for a social media network. If there’s any concerns, a lot of it is about how careful they are in handling the data. They didn’t use an encrypted connection to their API until very recently. They don’t encrypt the messages you send on it. They don’t allow two factor authentication. A lot of it’s not just how much data they’re collecting, but the fact that they don’t seem to be very careful with your data.

Kathy:
That’s another thing. Everything you type into a social network, you’re typing into an interface whether it’s web or on a phone or whatever. But it’s going to be stored on somebody’s server somewhere and who knows how long they’re keeping it. I am so glad that when I went to college that there was no collection of what I was doing at the time. But I feel bad for people who are going through college now and crazy stuff that they’re doing and that’s all documented and it becomes a part of their permanent record. The Violent Femmes would be proud, which is how old I am.

Ram:
It’s alright. It’s alright. I would date myself by saying that the precursor to this Bitcoin scam was the old chain emails from Bill Gates talking about how he was planning on giving away his money back in the ’90s. Do you remember those?

Kathy:
Yes, I do. I remember those all too well and he never did give away any of that money on those chain letters.

Ram:
I know.

Kathy:
Geez. Thanks Bill Gates.

Ram:
Yeah.

Kathy:
Anyway. Okay. So thank you guys for joining on Think Like A Hacker. This was a lot of fun. Maybe I’ll rope you into doing this again sometime.

Ram:
Yeah, let’s do it again.

Chloe:
Yeah.

Kathy:
Yeah. Cool. I think it was a big story, obviously on top of mind for a lot of people of what this all means with the Twitter thing. TikTok, I know for a lot of parents is top of mind and I feel sorry for anybody running a Windows enterprise network with all these servers that have to patch to keep the 11 down to dial it back down to 0. Right? Spinal Tap dialing it down to 0 from 11. So thank you for joining Think Like A Hacker and we will be back again soon with more news in WordPress security and innovation. If you liked this and you’re on YouTube thumbs up, follow us, and subscribe to us. We will have office hours coming up again soon where we will be, I think, going over how to audit your site security. So that will be loads of fun. And we will have another Think Like A Hacker episode coming up very soon. Thanks for joining us.

Please give us a like or give us a review on Apple podcasts.

Follow @kathyzant, @ramuelgall, and @infosecchloe on Twitter. Follow Wordfence on your favorite social media: Instagram, Facebook, Twitter. Also, subscribe to the official Wordfence YouTube channel where we host Wordfence Office Hours on Tuesdays as well as post important proof of concept videos.

Did you enjoy this post? Share it!

Comments

No Comments