We at NortonLifeLock Labs are committed to keeping consumers safe online and helping them make wise decisions about
their security, identity and privacy. Therefore, we take the integrity of information shared online incredibly seriously
– especially now that we are headed towards an election. As part of our efforts in this space, we are focusing our
research on activities that prey on people and exploit the difficulty of assessing the legitimacy of information online,
including detecting scams and disinformation networks. To that end, we recently released BotSight
, a tool that can detect certain types of social bots and show those findings inline to Twitter users.
Last Wednesday, the Twitter accounts of numerous high-profile politicians, billionaires, and other notable figures were
taken over by attackers to fraudulently solicit Bitcoin from their followers.
While the details of precisely how the attack was carried out are still a little murky, it is clear that the attackers
managed to net a little over $118,000 for an attack lasting a few hours.
More interesting than the specifics of this attack are the vulnerabilities in the social media ecosystem that it
exposed: we trust (perhaps too much) the authenticity of the messages on social platforms, especially from accounts of
famous individuals, likely assuming that such accounts would be highly secured and “impenetrable”. Reality has however
demonstrated that we should always consume online content with great caution.
Imagine if this hack had taken place on November 3, 2020, during the US election. Imagine if the attacker, during prime
polling hours at 5 PM, had taken over Joe Biden’s account and tweeted that he had conceded to President Trump, and asked
his supporters not to cast any more ballots. Imagine if Governor Gretchen Whitmer of Michigan tweeted that polling
places were unsafe in the Detroit metro area and people should avoid them until further notice. Imagine if the official
Twitter account for the Philadelphia Police Department had tweeted there was a bomb threat at some polling location.
For this week’s attack, 2 hours to fix the problem may seem very fast. But on election day, 2 hours of disinformation
could seem like an eternity. This attack underscores the very real danger of social media and its potential impact on
democracy. And this scenario is not unique to Twitter – next time it might be Facebook or Instagram. All social media
companies are vulnerable; or in fact, it is us who are vulnerable and social media is just the platform.
Regardless of whether the attack was a result of malicious insiders
, or insiders being compromised through phishing
, this raises the question of how and why we trust the contents of a Tweet. Can anyone inside Twitter create a new Tweet
on behalf of a high-profile account? And how do we defend not just the person who posted the Tweet, but the people
Some possible solutions would be to develop stronger authenticity guarantees around Tweets (1), have Twitter flag
certain accounts as possibly hacked and alert the public while they investigate, and educate the public about these
types of threats.
In the Tweet below, Twitter displays the device used to post the Tweet (Twitter Web App). However, it doesn’t check
whether this device, in fact, belongs to Jeff Bezos. Twitter can borrow a technique from cryptography called “digital signing
” to fix this. This technique, if implemented carefully, would allow each user to mathematically prove that a Tweet was
sent from their own device, and would make forging Tweets much more difficult. Each device, when registered, would
create secret random data, called a certificate, in the device’s protected trusted enclave. The certificate would be
stored by Twitter in a special structure, called a ledger, for the world to see – but since the certificate is random,
this would not violate a user’s privacy. This certificate would be used to sign all the Tweets a person sends,
automatically, inside the Twitter app. When you see a signed Tweet, your Twitter app could then automatically check the
Tweet’s authenticity by verifying the certificate exists on the ledger and belongs to the same person that created the
While this has a few downsides, like not allowing Tweeting from a random web browser, it might make sense to implement
for a few accounts of special significance, like public figures or users with massive followings (2).
Second (and more easily), Twitter could create an annotation on an account that it believes might have been compromised,
which would take special privileges to set and remove. This annotation would be displayed to all users viewing any of
that account’s Tweets, notifying them that the messages stemming from that account might not be authentic. This would be
a more effective strategy than just repeatedly taking down offending Tweets.
Finally, we all have to be wary since there is only so much the social media companies can do to protect us from
misinformation. We must understand that there is a significant possibility this, or something like it, will happen
again. Because the next time an attack of this scale happens, the consequences might not be $118,000 of stolen Bitcoin,
but an election.
While some tools, like NortonLifeLock Labs’s BotSight
, are capable of detecting certain types of social bots, it’s ultimately up to each person to be critical of the
information we read and determine whether the information is real or fake.
As the election looms closer, we all need to be aware that in the information war, the real targets are not Twitter, or
Facebook, or Google. The real targets are us.
1. Emails can be signed using a per-device key, which is checked against a blockchain of known keys. Tweets can be
equipped with the same security
2. Even for the case of a random browser, you could use an existing device to automatically communicate with Twitter and
sign the Tweet with the owner’s permission. This would be a little difficult to do correctly but might be the correct
NortonLifeLock Labs™ is the cornerstone of NortonLifeLock’s thought leadership in Cyber Safety, leading the company’s
future technology and guiding the consumer cybersecurity industry around the globe. The Labs team, sitting within the
office of the CTO, includes leading threat and security researchers aimed at protecting customers against known and new
threats and delivering consumer-focused innovation in the space of security, privacy and identity. Through these
efforts, we continually improve our industry-leading protection and detection capabilities to help keep consumers Cyber
Safe, while also delivering innovative prototypes with test-friendly features so adventurous users can learn and offer
Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo,
Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates
in the United States and other countries. Other names may be trademarks of their respective owners.