blog
July 25,
2020
Twitter got hacked. Could SSI prevent it?
Cybercrime is on the rise. This time, the hackers got access to internal tools of Twitter and compromised high-profile and corporate Twitter accounts. Twitter reported that the attackers targeted 130 accounts, including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama and accounts of Uber and Apple (see Financial Times, BBC and CNBC).
Twitter has shed some light on the attack by tweeting that hackers compromised their internal systems. The hack has revealed that one can tweet on behalf of another individual without even knowing their password. Why is this so alarming? The ability to control accounts and publish content on behalf of another individual can have severe consequences, and a similar attack could happen to any social media or online blog/news service.
In the diagram below, we demonstrate how Mallory (hacker) tweeted from Alice’s account and thus tricked Bob into sending him a Bitcoin:
Could we prevent this?
Yes, if Alice had the possibility to digitally sign her tweets, and thus protect the integrity of her content. This way, even if Bob would receive a malicious tweet, he could quickly verify that the tweet is not signed by Alice and would have never sent that 1 BTC to Mallory.
Self-sovereign identity (SSI) is a perfect fit for solving this issue, as the solution enables users to fully control their electronic identity, request/exchange verifiable credentials, sign electronic documents, authenticate, etc.
Let us show you how SSI could help out Twitter:
A Twitter Mobile App featuring SSI would require all users of this social network (Alice, Bob and even Mallory) to create self-sovereign identities, register them in one of the publicly-available SSI registries (DID registry) and then link their SSIs with Twitter accounts.
In this case, Alice would have her private key stored securely on her device, so she could use it every time she wanted to sign her Tweets before publishing them on Twitter. Bob’s Twitter App with built-in SSI support would then verify the signature and confirm that the Tweet really comes from Alice. If the hacker Mallory wanted to scam Bob by sending a Tweet from Alice’s account using Tweeter’s internal tool, she wouldn’t be successful! She could still send him the Tweet, but Bob’s SSI App would spot right-away that the Tweet is either unsigned or worse, not signed by Alice. Thus Bob would have never given away that 1 BTC to Mallory.
We believe that the implementation of emerging technologies and concepts like SSI can help build and use better and safer digital ecosystems, offering us higher levels of trust, transparency, security and interoperability.
Let’s see if we will build the Twitter of tomorrow together, to make sure this never happens again:
Tough day for us at Twitter. We all feel terrible this happened.
— jack (@jack) July 16, 2020
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
Learn more about us
AceBlock is a blockchain technology framework which enables companies to develop innovative solutions on top of our modular infrastructure. One of its critical ready-made building blocks is AceID, with which any holder can present verifiable credentials everywhere online.
AceID is based on a concept of an SSI (Self-Sovereign-Identity) which promotes that digital identity becomes a right for every individual. Because it is portable, it allows online privacy and free movement between different web providers or services from one point, which is possible only when the individual becomes the owner of the data.
Give it a try and contact us at [email protected] for more.