It’s Time for Companies to Stop Using God Accounts
From AOL to Twitter, all your accounts belong to us
America Online grew into prominence in the early 90s and became one of the most significant online access points for people willing to pay hourly for dial-up service. In exchange, AOL supplied people with email, instant messaging, web browsing, and a back door into millions of customer’s accounts; if you knew how to access them. Between 1993 and 1994, AOL had one of the most significant backdoor exploits in their history, giving hackers almost unlimited access to every account. All of this was made possible because of an intentional design flaw. Even 26+ years later, companies are still making the same mistakes.
The design flaw AOL had unwittingly created was something known as a “God” account. It was as a superuser that had access to almost everything. It was built into the system’s core for admins to monitor the service, credit people extra time, and help with billing issues. With access to a God account, you could also upgrade other regular accounts with the same powers. I don’t know all of the details of how it worked behind the scenes, or why they decided to build it, but I became aware of the God account privileges after a small group of hackers began exploiting it.
A master account, like sudo, allows access to run programs with the security privileges of another user.
Having a God account wasn’t a unique feature to AOL; even your computer has a Sudo user. A master account, like sudo, allows access to run programs with the security privileges of another user. Most of the time, this is critical for maintaining a platform. If a user locks themselves out, something like AOL’s God account could reset the password. At the time, there was no way to do this outside of calling the company on the phone to have someone reset the password manually.
Of course, when hackers figured out how to get access to the God account, they ran rampant on AOL. While some of the hackers used it for entertainment like suspending people’s accounts and gifting unlimited hours to their friends, another group did far worse. This sub-set of hackers used the exploit to read through emails, personal messages, and to siphon credit card numbers from unsuspecting users.
For months, there was a back and forth exchange between hackers and AOL over who could access the God account.
Access to the God account didn’t last long. Eventually, AOL figured out what was going on and locked this exploit down. But for months, there was a back and forth exchange between hackers and AOL over who could access the God account. I had all but forgotten about this until I saw what happened with Twitter a few days ago.
It’s not clear yet how hackers got access to all of those high profile accounts. Given the way that Twitter was able to stop all verified accounts from tweeting, there must be some kind of master access point that has the potential to work as a two-way street. Once hackers figured out how to circumvent it, they were able to manipulate any account they wanted to. In response, Twitter’s only option was to shut it down altogether by stopping all verified users, from celebrities to government agencies, from tweeting. Not only is this a mess for Twitter, but it also highlights a flaw with the level of trust we have in these services keeping access to our accounts safe.
Twitter’s data breach also raises all kinds of questions around who’s really responsible for maintaining control over these high profile accounts? More importantly, what happens when these accounts are hacked in a way that could pose a potential national security risk to Americas or the entire world?
I’m honestly surprised it took so long for someone to figure this out. Early on, Twitter built the service with Ruby on Rails, and it was an unstable mess. Scalability issues overwhelmed the site almost daily, and the service regularly went down as a result.
While the “fail whale” is mostly a thing of the past, it was an open invitation to anyone smart enough to exploit this weakness. But luck and timing were probably on Twitter’s side since they were a tiny company compared to now. Also, Twitter lacked the global influence its platform currently has, which didn’t make it a high profile target.
I tried to create a suit of armor around the world, but I created something terrible.
This brings us back to the dangers of the God account in software applications. Like in the plot of Age of Ultron, Tony Stark wanted to build a system to protect the world. But no one person or entity should have that kind of access to everyone’s safety. People use these social networks thinking that they have the last say over who can access each account. In reality, someone seeing all of your data is only a hack away, and in this case, it has nothing to do with simply setting your password to 12345.
Twitter, Facebook, Google, and all of these services are like landlords renting you an apartment, except they keep a copy of the key and can come in whenever they want. Or worse, they lose the key, and a stranger gets access instead. At the same time, there have been significant improvements over controlling access to accounts through more complicated passwords and 2-step authentication. But, if the service can override that at the root level, nothing you do to protect your account matters. It’s ironic that all of these companies push back on the government’s request to build them a backdoor. In reality, these social networks just don’t want anyone else to use the same functionality they already have in place.
I understand this is a complicated situation, especially after my years of doing software development for companies like HBO, Bloomberg, banks, and more. All computer systems have these kinds of backdoors, and they are incredibly difficult to protect. Maybe there is a better way to do this? The biggest challenge is giving control back to the users and changing the dynamic of the relationship.
No company should be able to access your account through some kind of backdoor without you explicitly permitting them.
Users should have the final say over who has access to their accounts. While it may be convenient for someone to have a key to your house for emergencies, you expect them to ask before using it. Right now, these companies have open-ended access to everything you do on their platform, and some like Facebook are even worse because they track you across the web in ways you can’t control access to. Long story short, no company should be able to access your account through some kind of backdoor without you explicitly permitting them.
The customer-first approach to account security needs to start with the service provider and not continue to put the onus on users. If you are building a software product and intentionally allowing your developers to implement a God account, you are creating a pandora’s box of security issues down the line. While most customers know nothing about these systems, the reality is that none of their data is ever truly private. As a user, you should expect that whatever you can do on these platforms can also be done by other entities such as the company providing the service. In turn, this means the same can be done by any hackers smart enough to let themselves in the back door.
I guarantee the license agreement everyone is forced to sign, but never reads, forgets to mention the God account access they have which will eventually be their Achilles’ heel.