The Twitter Compromise is Much More than a Cybersecurity Hack …

Social Media Companies are Hosters of Content and Not Publishers!

In cybersecurity, we define a thing called CRUD … create, read, update and delete. It basically defines the rights that someone has on something, and where the owner has the rights to define this access policy. It is extremely important to get this right, and so while someone might have rights to read some information, they might not have the rights to delete it or update it. It’s fundamental.

And so, as a high level policy, you would think that Twitter (and Facebook) would be able to “Read” … that’s a given for their platform, and “Delete” … to stop abuse … but “Create” and “Update”? Surely these would be so privileged that even Jack Dorsey, himself, couldn’t do that without it being checked by every government in the world? What we saw with the CryptoForHealth hack, was that Twitter has full CRUD rights, and that’s a worry for our democracy, and goes much higher than social engineering or password hacks.

The flaw in this is the “admin” account, and where the administrator has the complete rights to overrule any policy — or always has complete rights to do whatever they want. We did a research project a few years ago — and which is now a very successful spin-out called…