Security expert says third-party apps are important but highly vulnerable
Twitter was hit with a major attack on Wednesday, with high-profile users and hundreds of accounts hacked to push a Turkish nationalist message. The same method of attack could be applied to much more than political rhetoric, a security expert explains.
The culprits in Wednesday’s hack used a third-party app to rapidly reach the accounts of any Twitter user connected to it. While third-party apps are very useful, their susceptibility to such attacks is a cause for significant concern. Online bank accounts could be similarly targeted, for example.
“Like most websites, Twitter uses the services of third-party companies to enhance their services; for example tracking and advertising,” says Hadar Blutrich, CEO of the Source Defense cyber security company.
“In truth; there is almost no way to monetize a website without using various third party services. Unfortunately, since third-party code communicates with the page directly without the involvement of the site owner, the site actually has no control of even transparency over the third party actions.
“Because of this, when a hack occurs, it is very hard for the website to pinpoint the origin of the hack; if it is not a visual hack, it could be months before the hack is detected.”
Some hackers want to be noticed; some don’t
With the political attack perpetrated by Turkish nationalists, the intention was that the attack should be immediately and visually obvious. They wanted to insult certain European Union countries, particularly the Netherlands, on a widespread scale.
An attack with similar motives occurred shortly after that attack, in which McDonald’s official Twitter account was taken over to push messages against the US President Donald Trump.
But in other cases, hackers may not want their victims to know what they’re up to.
“Clearly, (Wednesday’s) hack was an inconvenience to both Twitter and the publications whose accounts and feeds were violated by hate speech, but in truth, the destructive potential of hacks using third parties is much bigger than hate speech on a news feed,” Mr. Blutrich told TechDigg.
“Consider a hacker that uses a third party service but decides to do something bigger than just make a statement. What if the hacker had something else in mind, for example, to collect usernames, passwords, and personal information; how long could he have gone undetected doing that if he left no visual trace?”
Blutrich continued: “Now consider if you hack a service used not by social media but an e-commerce site, a bit more troubling don’t you agree? Consider a service used by multiple US banks? The average bank uses 6-30 third parties on the same page where you log into your account. Worried yet?”
A simple solution for fewer victims like Twitter?
The potential scope of third-party hacks is worrying, and so is the scale.
As Mr. Blutrich points out:
“A hacker managed to breach Twitter Counter, a service that monitors Twitter statistics; once he/she had access to their servers, they had access to every page viewed by any user on Twitter.
“Instead of having to hack the accounts of BBC, Reuters or Forbes; all he/she had to do was wait for them to use their Twitter accounts and simply tweet for them anything he/she felt like.
“Naturally, this is easier than trying to hack each account separately and having to deal with a quick password change by the compromised publication–with a third party hack, changing the log-in credentials will simply not work as the third party who is still on the page still has complete access to it.”
A major problem, then, but one which is not being effectively dealt with. Current methods, according to the security expert, are “ineffective at best or completely useless at worst.”
- Isolating tags inside iFrames which completely isolates them from the page – unfortunately, most services need access to the page to work, so this method (though effective) is in constant decline.
- Data analysis reports – basically scanning your websites from multiple locations trying to detect suspicious activity and alerting the site owner. The issue here is that it is impossible to scan from every location and to simulate every user; but say you could, we are still talking about detection without prevention.
- Periodic code reviews: reviewing the third party code before implementing it on your site (something Mr Blutrich says is “completely useless, the service was hacked after you reviewed it and placed it on the page.”)
All of this is not to say that there is no hope, or that third party services are nothing but trouble. They are, Mr. Blutrich notes, “essential to the Internet echo system.”
However, he suggests that a relatively simple solution, one his company is working on, involves using permissions “just like when installing an app on your phone” and “bringing it to the world of web.”
“Why not simply have a site decide what each third party can and cannot do on the page?” he concludes.