After hackers managed to take over a wave of high profile accounts on Twitter by leveraging access to an internal tool, Senator Ron Wyden is highlighting that the social network has not implemented end-to-encryption for direct messages, even though the company previously explored the idea.
"In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter's CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company's systems, and hackers who gain unauthorized access," Wyden said in a statement.
Do you work at Twitter? Do you know anything else about these account hijackings, or insider data abuse at other companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
As Motherboard reported on Wednesday, an internal tool for Twitter workers was behind the spike of account hijackings. The tool allowed users to change the email address linked to an account; hackers could then request a password reset through the newly linked email and access accounts that way.
End-to-end encryption is encryption where the content of a message is encrypted on a user's device so only the intended recipient can read it, meaning third parties intercepting the communications typically wouldn't be able to decipher the messages. It depends how the encryption would be implemented. Would Twitter encrypt the message on a device it believes only an authorized user is accessing? Generally speaking, though, the move would provide Twitter users with more privacy over their communications.
Eva Galperin, director of cybersecurity at activist group the Electronic Frontier Foundation (EFF), tweeted on Wednesday, "Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years."
Galperin told Motherboard, "We asked for encrypted DMs as part of our Fix It Already campaign in 2018. They did not fix it."
"While it still isn't clear if the hackers behind yesterday's incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users' DMs, this breach could have a breathtaking impact, for years to come," Wyden added.
Twitter did not immediately respond to a request for comment.
Update: This piece has been updated to include more comment from Galperin.
Subscribe to our cybersecurity podcast, CYBER.