Third-Party Twitter App Hacked by Turkish Activists to Post Messages

Attackers allegedly breach Twitter Counter, enabling them to post unauthorized messages on Twitter accounts around the world.

Hacker Breach

Twitter users around the world have been impacted by a hack perpetrated by Turkish activists early on Wednesday morning. The attack included the Turkish activist attackers posting swastikas along with messages supporting Turkish president Recep Tayyip Erdogan.

Among the high-profile Twitter accounts impacted by the attack were BBC North America, European Parliament, Amnesty International, Forbes, World Meteorological Organization and scores of others.

"We identified an issue affecting a small number of users," the official Twitter support account stated in a tweet. "Source was a 3rd party app and it has been resolved."

The 3rd party app that was abusing Twitter accounts is suspected to be Twitter Counter, which confirmed that its' service was hacked.

"We're aware that our service was hacked and have started an investigation into the matter," Twitter Counter stated in a twitter message. "We've already taken measures to contain such abuse."

Twitter Counter is a service that helps Twitter user to keep track of their follower numbers. The service also offers capabilities for users to help grow and manage Twitter followers. As part of the service, Twitter users grant Twitter Counter access to their Twitter account via an OAuth token that enables Twitter Counter to post messages on the user's behalf.

The attack against a third party provider is very different than a direct attack against Twitter itself. Back in February 2013, attackers took direct aim at Twitter and were able to compromise 50,000 user accounts before the social networking service was able to block the attack.

In a Twitter message, Twitter Counter emphasized that it doesn't actually store Twitter account passwords or any type of credit card information. To help limit risk, Twitter Counter blocked the ability to post Twitter messages.

While the early indication is that Twitter Counter is the root cause of the Turkish Twitter attack, there may yet be more to the story.

"The Twitter Counter application is blocked on Twitter," the Counter tweeted. "If this activity continues then we strongly believe it's not just through us."

Security experts contacted by eWEEK were not surprised by the latest Twitter attack.  Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions, noted that once again a third party has been used as an attack vector against a more robust system. Roberts suggests that two-factor authentication is needed to help limit risks and users need to ensure password complexity.

R.J. Gazarek, Product Manager at Thycotic, a Washington D.C. based provider of privileged account management solutions commented that in the modern connected world of infrastructure all it takes is one application to have a vulnerability to potentially bring down the entire ship.

"For this takeover specifically, Twitter should take a close look at applications that can post on behalf of the user, or provide unfettered access to the account," Gazarek told eWEEK. "I would look to Twitter to add some additional layers of security, that even if an application is compromised, there isn’t a way for someone to gain complete access to an account.  At the end of the day, the responsibility lands on Twitter."

Vikram Kapoor, co-founder and Chief Technology Officer at Lacework, a Mountain View, Calif. based provider of cloud security solutions also was not surprised by the new Twitter hack. He commented that it is common for third party applications to ask users for access to their social or email accounts and, unfortunately, most people allow it.

"Hackers exploit the weakest link in the security chain to get access to the account," Kapoor told eWEEK. "Social platforms, such as Twitter, need to ensure that the data centers of third parties in their ecosystem have the highest level security in place."

Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company commented that using a flaw in Twitter Counter to then gain access to accounts which live in Twitter absolutely follows an attack chain he would expect.  To help mitigate risk, he suggests that users need to review what applications are connected to a Twitter account.

"Make sure you are also reviewing your Twitter feed on a regular basis to ensure no tweets are being posted that you're not aware of," Wenzler told eWEEK. "Unusual messages are an immediate tell [that] someone has gotten control of your account. And, of course, be sure you use a strong, complex password for your account that isn't the same password that you use elsewhere and change it on a regular basis."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.