To my fellow free-thinkers in and outside of The Resistance, I am going to recap the entire Blocktogether fiasco so that no key points are missed or in question. Since the release of the information much has happened. We have seen Blocklist managers go into all-out propaganda mode to protect their ability to censor. Twitter needing to take emergency measures to try and correct this issue. And most importantly, more of the message about censorship by 3rd party “sock-puppets” is being seen. This last part is arguably the most important. And the credit for spreading that message belongs to you.
In this first post we’ll take a look at the technical aspect of the problem. After that, we’ll move into the disinformation campaign being waged against us. Literally, nothing Louise Mensch has said is factual regarding this.
My goal was simply to protect the ones who were blocked. They were compromised as a direct result of Blocktogether. I had no intention of protecting the censors and abusers. Luckily, they would rather dig their heels in and continue using a flawed system even if it means they must suffer severe real-world consequences. And ironically, it turns out that the people that would’ve been helped the most are the list managers. But never fear, they will risk it all to hold onto the high that comes with having power over people.
Lets take a look at what happened, why it happened, and what it means as the problem currently stands. Here is the problem:
- Twitter has problems with its OAuth. Always has
- Blocktogether is a 3rd party application that users give read/read-write + DM access (thanks @1weesel)
- This endangers the subscribers, as well as the block list administrators
Courtesy of @1weesel via twitter
The Genesis
Let us deal with Twitter and their OAuth problems first and cite a few examples. I will keep it in layman’s terms so even I can understand it. This stuff was always explained to me by very patient people; more patient than I could ever be.
For a long time now people have been using Twitter’s OAuthorization to gain control of accounts or to fool other users into giving up control of their accounts. Just for the record we will take a look at a few examples from a site that rewards devs for finding and fixing bugs along with a tutorial for account takeover:
[Critical] Steal OAuth Tokens
https://hackerone.com/reports/131202
Real-world application of above bug
https://www.geekboy.ninja/blog/turning-simple-login-csrf-to-account-takeover/
Keep in mind. This was active up until a few weeks ago. One of many OAuth bugs and security issues on Twitter’s side. The same technique is applicable to both Twitter and Facebook.
But here is where it starts to get interesting and the details matter…I hope I’m not boring everyone.
This “bug” on Twitter’s side can be used (with slight modification) to access an account using a Blocktogether list. This can be both as a subscriber or list manager. It does not matter. It creatively uses two routers to spoof credentials. Since Twitter will take temporary, or even outdated security certificates, this helps them gain the foothold and account takeover
https://hackerone.com/reports/168538
And a video of the demonstration. Important to note this is not me in the video:
The most recent tactic of gaining access to an account worked almost identical from what I can deduce. The attacker can spoof a security certificate or use an expired one and the job is complete. The creator of Blocktogether had already acknowledged using outdated security certificates. Even temporary certificates that were used in the beginning are still allowed and validated.
The Blocklists
The three blocklists that I published were
- Given to me by an operator who was using the lists, taking names at random, and demonstrating getting a foothold/access to the account
- None were ChiefCovfefe/Mensch/TeamPatriot blocklist
- None were altered in any way. I received them that way
Over the course of three days and ending on 11/21 I published 3 block lists. These were users affected by, or determined to be compromised by an attacker. This was a delicate agreement between myself and the operator. So delicate that I agreed to only “show it to select group of people in 24hr period”. That “select” group was the twitter community. So I published the lists with a 24hr expiration. Why? Simple.
- These are compromised accounts. The longer the info stays up the more danger they are in. Attackers will see the lists before the users. Keeping them up indefinitely can only multiply the harm
- When the lists “vanished” the liars could start their campaign. I claimed I had no access to them after the 24 hr time period. Are Team Patriot willing to bet on that info and risk it all? What if I still have them? Their claims fall to pieces. And I do have them (game over)
The operator was furious and I burned a bridge. So what? Many were saved. More are demanding change. And as long as the censors think the lists disappeared they felt free to lie about them. It worked perfectly.
Why Mensch Crew had to get defensive
We will address this in detail next time. As a primer, most of details of this attack were realized when this bug was found only because certain users seemed to be structuring tools to operate to take advantage of this flaw. It set off a red flag. Running those user ID’s we can see that the CounterChekist account and the ChiefCovfefe account were two that had created tools within the Twitter Dev options to use this exploit. I posted the raw data the operator showed me when he encountered researching this. I have redacted everything but the user ID which I believe to be CounterChekist. I should say that I do not believe he has the skills to create such tools. So this is likely the result of an attacker.
It is important to note that the chances that this was done by an outside operator vs the account owner is 50/50. And since the Big Chief runs the largest censorship tool he would obviously make himself a prime target. Ditto on CC. And if an attacker did anything illegal or broke a ToS then the responsibility would fall on the account owners, not the attacker.
Exposing this protects the Big Chief; which was not my intention at all but it is rather an unintended consequence. So why then is he – and also the entire crew – smearing people and fabricating evidence to keep this flaw in place? I can only deduce that he was the one creating the tool/script to access the nearly one million accounts on his list. An innocent person’s response wouldve been to shut it down and thank the messenger. Instead, they have taken a scorched earth approach to to keep this in place.
Meanwhile, people start seeing mass unsubscribing…
Twitter DMs Go Down. As Expected (11/21)
Another topic we will touch on more in the next post. But immediately after this was revealed Twitter needed to deploy a patch. Within hours on 11/21 (the same day I revealed the compromise) Temporary fixes were made. It was massive enough to require DM’s being taken off line. Since things like Blocktogether can give an attacker a foothold into DMs of accounts they dont own, new code needed to be written in. Unfortunately, OAuth flaws are so deep that it does not help. Twitter was able to minimize the impact by doing this in blocks of users. So DMs were not offline for everyone all at the same time. Matter of fact, it was likely only caught because some users were using it during what was normally their “off-peak” usage.
This link cites a few examples of users who witnessed it.
http://animeright.news/zanting/twitter-direct-messaging-dm-service-goes-down-during-outage/
Thank You, So Far, and Moving Forward
I mean that sincerely. And if you missed it in the mish-mash of Twitter replies, I believe in having no enemies. Having opponents is different. As a whacky Libertarian I tend to think everyone is nuts except me (which is likely pretty accurate according to my latest internal polling data).
In our digital age we tend to forget that there are real people behind avatars. And since most of the topics that help us clash are inseparable from from our emotions, the impersonal layer of “words on a screen” do not help us feel like we are talking among people but rather talking at avatars.
You have all demonstrated that you have the ability to talk with one another, not at them. And that warms my heart.
My biggest concern is that I do not want to lose people in the course of this explanation or confuse anyone. So I implore you to speak up and ask me anything at any time. I am even willing to do any sort of group chat if everyone wants to get into a single spot and address any issues. Discord and Google Hangouts come to mind. I have a decent mic and anyone, including Karol, Chief, or Lousie are welcome too. If this is something you guys would like to do, let me know.
Sincerely,
Douglas Stewart
PS: The post right after this one debunks the entire “Las Vegas Shooter was an Anti-Trump Antifa” with previously unseen photos. Notice no one on the right cared. I received only thanks from Resist folks. Keep these things in mind when the goons start trying to smear me as partisan or an ideologue. Cheers!
Ameristroika 