Security Leftovers

posted by Roy Schestowitz on Nov 17, 2022

• Security updates for Thursday [LWN.net]

  Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (expat, xen, and xorg-x11-server), Oracle (kernel, kernel-container, qemu, xorg-x11-server, and zlib), Scientific Linux (xorg-x11-server), Slackware (firefox, krb5, samba, and thunderbird), SUSE (ant, apache2-mod_wsgi, jsoup, rubygem-nokogiri, samba, and tomcat), and Ubuntu (firefox and linux, linux-aws, linux-aws-hwe, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon).

• Twitter Two-Factor Authentication Has a Vulnerability

  The vulnerability comes as Twitter enters its third week under the ownership of Elon Musk, a period during which key security and compliance staff at the company have departed, masses of employees and contractors have been laid off, and cracks have begun to show in the company's customer-facing technology (see: Twitter Ramps Up Regulatory Exposure After Loss of CISO).

  A researcher contacted Information Security Media Group on condition of anonymity to reveal that texting "STOP" to the Twitter verification service results in the service turning off SMS two-factor authentication.

  "Your phone has been removed and SMS 2FA has been disabled from all accounts," is the automated response.

  The vulnerability, which ISMG verified, allows a hacker to spoof the registered phone number to disable two-factor authentication. That potentially exposes accounts to a password reset attack or account takeover through password stuffing. Twitter allows uses to set up multifactor authentication through other means besides SMS, including an authentication app and a security key. Twitter did not immediately respond to a request for comment; its communication team reportedly no longer exists.

• Twitter’s SMS Two-Factor Authentication Is Melting Down | WIRED

  FOLLOWING TWO WEEKS of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don't come or they're delayed by hours.

  The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter's access feature. The situation also provides an early hint that troubles within Twitter's infrastructure are bubbling to the surface.

  Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter's offerings and build new features per new owner Elon Musk's agenda.

• Failures in Twitter’s Two-Factor Authentication System