Twitter has shed some light on the attack by tweeting that hackers compromised their internal systems. The hack has revealed that one can tweet on behalf of another individual without even knowing their password. Why is this so alarming? The ability to control accounts and publish content on behalf of another individual can have severe consequences, and a similar attack could happen to any social media or online blog/news service.
In the diagram below, we demonstrate how Mallory (hacker) tweeted from Alice’s account and thus tricked Bob into sending him a Bitcoin:
A Twitter Mobile App featuring SSI would require all users of this social network (Alice, Bob and even Mallory) to create self-sovereign identities, register them in one of the publicly-available SSI registries (DID registry) and then link their SSIs with Twitter accounts.
In this case, Alice would have her private key stored securely on her device, so she could use it every time she wanted to sign her Tweets before publishing them on Twitter. Bob’s Twitter App with built-in SSI support would then verify the signature and confirm that the Tweet really comes from Alice. If the hacker Mallory wanted to scam Bob by sending a Tweet from Alice’s account using Tweeter’s internal tool, she wouldn’t be successful! She could still send him the Tweet, but Bob’s SSI App would spot right-away that the Tweet is either unsigned or worse, not signed by Alice. Thus Bob would have never given away that 1 BTC to Mallory.
We believe that the implementation of emerging technologies and concepts like SSI can help build and use better and safer digital ecosystems, offering us higher levels of trust, transparency, security and interoperability.
Let’s see if we will build the Twitter of tomorrow together, to make sure this never happens again:
Tough day for us at Twitter. We all feel terrible this happened.— jack (@jack) July 16, 2020
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
AceBlock is a blockchain technology framework which enables companies to develop innovative solutions on top of our modular infrastructure. One of its critical ready-made building blocks is AceID, with which any holder can present verifiable credentials everywhere online.
AceID is based on a concept of an SSI (Self-Sovereign-Identity) which promotes that digital identity becomes a right for every individual. Because it is portable, it allows online privacy and free movement between different web providers or services from one point, which is possible only when the individual becomes the owner of the data.
Give it a try and contact us at [email protected] for more.