Transitioning from talking about LinkedIn, Instagram and Facebook, the next logical platform to discuss is Twitter. Twitter was started in 2006. Per Kevin Murname's (2018) Forbes article and Pew Research Center, Twitter had approximately 24%of the social media market share. Twitter is unique in terms of social media platforms in the respect that unless an account is set to private, all tweets are public. Other unique aspects of Twitter that have since transcended the platform are hashtags, verified accounts and character limits.
Twitter was one of the first platforms that made it easy to interact with celebrities. The ability to easily interact led to the rise of fake accounts which triggered the account verification process and the blue check box beside names. Twitter actually introduced this feature in 2009, which is 3 years before Facebook and 5 years before Instagram. This helped to make it an Open Source Intelligence (OSINT) goldmine.
To begin the analysis of OSINT capabilities with Twitter, I will first reiterate that all tweets are public unless your account is set to private. In setting your account to private, you must approve those who can follow you. They can see your tweets but cannot retweet them or share them (the obvious exception in screenshotting) but you can follow and see anyone else's tweets, given they do not have a private profile.
Since Twitter is predicated off having many followers, it is not practical or reasonable for some users to set their profiles to private. This allows people, both authenticated and unauthenticated to view their tweets. This allows actors, stalkers and other entities to build dossiers on their targets. They can gather enough information via OSINT to have what I call the "Context for the Contact." The context will allow them to interact with the victim and gain rapport more quickly without seeming (too) awkward. Rapport is about 85% of the battle. Without it, a social engineer is dead in the water like a ship without power.
To expand on the social engineering angle of this capability, I used Twitter in profiling employees of my target companies during the OSINT phase for the Social Engineering Capture the Flag (SECTF) at both DerbyCon and DEF CON. While scoping employees of one of the two companies, I found a Senior VP that openly tweeted to their airline to complain about missing a flight to Amsterdam for a meeting. They cited the flight number, the delay and that it happened in Newark. Had I been a malicious actor, I could have either spoofed and emailed or just called the target and claim to be customer service for that airline. Such actors could collect enough information from the target to steal his or her identity or wipe out their frequent flyer miles as authentication questions.
Another aspect of Twitter that makes it easier for attackers to gather information without risking accidentally clicking like, comment or retweet is the API. An API or Automated Programming Interface allows consumers to use a command-line interface (CLI) to interact with Twitter. Also, it is easier to get an API key with Twitter than many other platforms, especially social media platforms. The free Twitter APIs are Representational State Transfer (REST) and streaming. Many programming languages have libraries written to interact with them. A full list of supported libraries on a per-language basis can be reviewed here. The API can also be accessed using HTTP or OAUTH as well.
Regarding the API, in addition to not being susceptible to clicking anything, there are additional data fields such as keyboard language, potential GPS location and time zone (to name a few) that cannot be easily discovered using the normal web interface or mobile application. An additional capability that comes with this is that in using an API, it is already pulled down and in text format ready to be written to an array or database. The API may also pull the data down in JSON (JavaScript Object Notation) which is very easy to normalize and work with if further processing is required.
The final security concern relative to OSINT within Twitter was brought to my attention in 2017 (h/t Tracy "Infosec Sherpa" Maleeff). It is lists. While they are very useful for tracking people and accounts posting about specific topics, a sloppy social media team can provide attackers with a significant amount of information. Unlike accounts, lists can be set to public or private. Anecdotally, an account could have a public list for tracking their competitors' activity. In other cases, you may see prospective employees, vendors, or customers on these lists. This broadens the attack surface and further endangers the security of the target organization, and through the supply chain, those they do business with.
In conclusion, Twitter is a different type of social media for different users. This is just like Pinterest, SnapChat, Facebook, LinkedIn, and Instagram. To be clear, this post is not meant to discourage the use of Twitter or any other social media, it is meant for awareness. My personal tips for being safe on Twitter is to turn location and GPS off, do not post intimately personal data, understand your threat profile and adjust your security settings to ensure that you protect yourself commensurate with that model. Another feature that Twitter offers and does well is multi-factor authentication (MFA). Twitter offers three methods of MFA (listed in order from least secure to most secure) SMS (text message), an external application like Google Authenticator or Duo and security key (like a Yubikey). In concert, I recommend using strong and complex passwords without reusing the same password across multiple platforms.
