Twitter’s security: who’s got the keys?

My first reaction when I saw the news about the Twitter hack earlier this month was: “these good people, in terms of security, are a disaster waiting to happen.”

And as more information about what happened emerges, it looks like I was right: it turns out that Twitter not only had tools that allowed its users’ accounts to be manipulated, but also that those tools were in the hands of no less than a thousand people in the organization. From this point of view, it is not surprising that the company has been trying to hire a Chief Information Security Officer (CISO) for months: no security professional in their right mind would want to work for a company like this!

When more than a thousand people have the keys to your front door, it’s safe to assume that at some point, someone is going to break in and do what they shouldn’t. It is impossible to maintain minimally reasonable security practices when it turns out that a thousand people not only have access to a tool that allows them to take over that account. The analogy here is that Twitter is full of monkeys with machine guns.

Where is the benefit to Twitter of creating a tool that allows a thousand people to update a user account? Obviously, when users breach the company’s terms of use, an administrator should be able to deactivate the account, prevent access or delete a post. So far, so good: if we are hacked, someone will be able to close some accounts or remove some tweets. But being able to write an update as if it were something written by the user is beyond imagination.

What then happened is that some of those thousand or so employees made up incidents in order to access the accounts of some of their idols. It’s not much of a step from that to a hack that has destroyed Twitter’s credibility. I truly love Twitter from its very inception, and that makes all this hurt even more.

This latest hack shows what happens when an organization completely neglects its security practices. In fact, the company was extremely fortunate that those who set out to access these accounts were not professionals, but mere amateurs, because everything from the hack itself to the company’s reactions shows how disastrous the situation was.

That more than a thousand people have access to a management tool that should never have been created in the first place shows that Twitter has no idea what is going on in the company. The least we as users can expect is that the senior management knows who has access to our accounts. Otherwise, when something goes wrong, nobody knows what to do, as was woefully shown earlier this month. And the problem, in this case, is not so much the personal information of its users, of which Twitter has very little, but their public image.

If you have a Twitter account and think hard about what you tweet, if your image depends on it, or if it is a corporate account, then you might as well start thinking what you’re going to do when this happens again, which it will. A company doesn’t change its security culture overnight. Twitter’s security is a danger. Now we know the full extent of that danger.

(En espa?ol, aquí)