So and so needs to be verified!
This is often something I see on Twitter. Without going into the details (I don't think blog to be a criticism of those seeking verification, or those advocating for others to be verified), I don't believe in the Twitter verification feature. Firstly, it is a visual indicator, as I show below this can be utilised to lend credence to spread false information. Secondly visual indicators are not always the best when it comes to validating something. We have literally over the past few years been telling users to no longer view the padlock on a browser's URL as a means to determine if a site is safe or legitimate. Yet we now at the same time advocate for a very similar indicator on Twitter!
Absolutely nothing I'm about to discuss below is likely anything new. However it only occurred to me how I could exploit this to spread false information the other night. To the best of my own knowledge I'm not aware of this being discussed before, which I find it incredibly unlikely. I'm pretty sure that this has been raised and discussed else where before. I did try do a search and couldn't find anything however. The only previous mentions that I found have been around injecting the verification icon into your profile background picture (which no longer works), or try setting your name with the verification icon (again I don't think this works anymore). If you do know of anything, please let me know and I will include links and/or information in this post!
Warning: DO NOT attempt to fake the verification tick on your account in Twitter. Doing so will likely result in your account being banned. It's also the wrong thing to do.
Twisting the Facts
So I tweeted this out this morning:
But I can easily change this:
Now to an ordinary user/reader, who don't know me all that well, how do they tell if this is legitimate or not? Well, I don't have a verification tick next to my name of course! Let's fix that!
So this must be entirely valid and legitimate right (since I have the verified tick next to my name)? At this point you may be correctly shouting, but these are screenshots! Yes they are! There's a reason why some people take screenshots instead of directly linking to tweets, tweets can be deleted! So we have become accustomed to people sharing screenshots of tweets as opposed the actual tweets themselves. For many the fact that it is a screenshot will likely not raise many concerns. I've even seen more and more people on Twitter itself share screenshots of tweets as opposed the actual tweets themselves. Combined with the fact that people often see something online and immediately draw conclusions without any form of validation, so long as it remotely looks legitimate. Don't believe me? Let me ask you this one question to explain my point. Why are phishing emails and fake login pages often successful?
Back to the issue, I can even "set" the verification tick on my own profile:
Verification
The whole idea around the blue tick (if you don't have dark mode) or white tick (if you have dark mode) is that it is a visual means to try validate and lend authenticity to an account on Twitter. This is obviously very important! Especially for those accounts with a large following.
However, verified Twitter accounts do get taken over and changed to imitate someone:
Which is the real account? pic.twitter.com/DK8T7q9atn
— Sean Wright (@SeanWrightSec) November 4, 2020
In the image comparison which I took in the above tweet (it's an actual link to the tweet which I posted, so can follow the thread and get the context behind it), guess why I masked out the Twitter account handle? That's right, it would have immediately showed which was the legitimate account. Personally, and incorrectly, I often immediately look to a profile picture as a means of validation of an account. I assume this is because it is the most prominent feature of one's profile. This is wrong since it is really trivial to copy this image and use it on your own profile. After I have suspicions around the profile, the next part I move onto is the Twitter account handle. In fact as I think about it, I hardly if ever pay attention to the verification check on accounts. I suspect that I'm not alone in this regard:
Ignoring the politics around Twitter verification, I'm interested in peoples reliance on this feature. Do you find yourself often not paying attention the verification tick on accounts?
— Sean Wright (@SeanWrightSec) April 10, 2021
RTs would be greatly appreciated.
Taking a step back, let's now go through the initial step of trying to work out if an account is legitimate and not being imitated. Firstly I need to know the actual account, and this typically means having to know their Twitter handle (in my case @SeanWrightSec). Every profile and every tweet has this handle associated with it, so why not use this as a verification? But even this can be tampered with:
Another issue is that some accounts are verified, when in fact they should have not been in the first place. A recent example of this came about (thank you to @H0tdish for allowing me to use her thread on Twitter):
I love this story. So let's revisit what CCP are actually doing *on here*..
— Laura (@H0tdish) April 21, 2021
A fake "verified" by Twitter "doctor".. pic.twitter.com/oymMY9dQPO
@H0tdish did a fantastic job on this thread helping to illustrate that this account was not a legitimate account and should have not been verified, but it was. I highly recommend checking the thread out, it is really interesting!
Finally, there was an incident involving Twitter themselves in which several high profile accounts. This resulted in these verified accounts tweeting out a cryptocurrency related scam. And this worked since the criminals managed to net themselves a tidy sum of around $110,000!
Us and Them
The other problem which verified accounts start doing is creating an us and them problem. I get why accounts with large follows may need the verification, but what about those accounts with large followers which don't have it. But more importantly it starts to create some sort of status symbol. As I've shown above, while it can somewhat help address spoofed or fake accounts, there are still massive holes in the entire process. My problem is that it starts idolising views of those who have a larger following over those who don't. People may perceive the opinions of those with a verification mark next to their account more than someone who doesn't. This is wrong in my opinion. Why should the value of your opinion be tied to how many followers you have? This is NOT helping to create a collective community where we can all be free to share thoughts, opinions and ideas with one another. I originally was not going to include this part in this post, but I feel that it is important to call out. We should be helping EVERYONE, regardless of who you are and how many followers you have. I really don't want to get into the politics of it, but I feel that it is really important to call this out. We quite rightly pride ourselves in being an inclusive community. Well guess what, this is anything but inclusive! I also want to make it absolutely clear, this is not an attack on individuals, this is more a criticism of the of the process.
The Solution?
Currently there is no magical solution which will solve all these problems. Personally I think we need to rely on cryptography to solve the problem. This would involve using something such as PGP, to digitally sign tweets and profiles. In fact services such as GitHub and GitLab are doing this very thing for commits! But unfortunately this is not an option at the moment on the likes of Twitter. But one option is to use something such as Keybase to verify your account:
Verifying myself: I am sean_wright on https://t.co/VOJmEcM0M9. uwYv_R2J-hXYjuvsENMvdFq3G-JcAx4C2Y7G / https://t.co/6xwje58iAT
— Sean Wright (@SeanWrightSec) September 3, 2019
Anyone is them able to view the proof behind this claim:
You can do it right now view the signature: https://keybase.io/sean_wright/sigs/uwYv_R2J-hXYjuvsENMvdFq3G-JcAx4C2Y7G
Alternatively you can also view my Keybase profile and validate other identities such as the DNS entry for this very site!
In fact you can even search for a user in Keybase via their Twitter handle:
Or even their name on Twitter:
Conclusion
Don't always believe everything that you see on the Internet!
These words should always be on our minds. It is all too easy to share something, and have full faith in it, more so since it has all the visual indicators which you expect. Instead what should happen is the trust but verify approach (which we also ironically preach as security practitioners but we sometimes don't practice ourselves). If you see a controversial tweet, use things such as Twitter handles to view the account and view their tweets. See if they are on the likes of Keybase. These all help lend further credence to an account than a simple visual indicator in my opinion.
Also, I'm not going to share the details of how I did this, I don't want to equip others to do this in the first place. The purpose of this blog is to highlight the potential issue, and raise awareness around why you have to be so careful in what you believe (do your homework and validate), and why I feel the verification feature of Twitter is not an appropriate means of advocating someone. Also highlighting some steps that you as an individual can help with current technology and features.
As a final note the original tweet which I butchered above can be found at:
“despite it being an easy target for hackers” @BBCNews you should use the term which NCSC correctly used when you quoted them in the article, cyber-criminals.
— Sean Wright (@SeanWrightSec) April 10, 2021
cc @hacknotcrime https://t.co/mDbMx9yx3E
