Learn how to effectively protect your X account. Do not let hackers take control.
Why is it worth taking care of it?
Security is not only about smart contract audits. Security comes from a comprehensive approach because an attacker will always choose the easiest way to achieve their goal. It doesn't matter if these are smart contracts containing vulnerabilities, an unaudited web application serving as an interface for users, a third party storing your keys, or an insider who will make an "accidental" mistake.
When the stakes are high enough, there will be someone willing to try their hand at it.
Account takeover may also be a way to do this.
What are the methods to take over social media accounts like X?
A brief threat modeling session allows for determining who may want to attack the X account. What are key assets attackers aim to compromise, and how can they do it?
Who can attack an X account?
- Remote user - persons without physical access and without special authorizations. It could be anyone.
- User with physical access - someone staying near endpoints with access to your X account. Both the phone and the computer you are logged in to may be attractive to an attacker.
- Insider - an employee with total or partial access to your X account. Maybe you have delegated social media management to a specific person or agency.
What are the key assets that need to be protected?
- Phone number
- Email address
- Password
- Session token
- Endpoints with a logged-in account (computer, laptop, phone)
These are not the only things worth protecting. Additionally, for example, protecting information about who operates the social media account, makes it difficult for the attacker to determine their target. The less they know, the more space they have to search.
However, regarding account security, these are the key ones and usually allow the attacker to perform one of the following: logging into the account, taking over the session of the logged-in user, or recovering the account.
All these paths lead to abuse of built trust and expose users to loss of funds.
What are the threat scenarios you need to be aware of?
Sim swap is certainly not the only attack to worry about. There are many ways to hijack someone's X account and the list below will certainly not be exhaustive. However, it might help to understand how hackers work and think.
- Data leakage from X.
- Data leakage from external applications to which your account was connected.
- Data leakage from your password manager.
- Bribing X employee who has the ability to edit account data.
- Cracking/guessing an email password.
- Cracking/guessing an X password.
- Social engineering to get a number by calling employees (pretending operator, service provider, other) or making appointments with them (business deals, dating, other).
- Compromise of your backup email which can be used to recover your account.
- Using an unlocked phone/computer where X account is logged in.
- Installing malicious applications that have full permissions to the X account.
- Looking at the password we are typing.
- Leaving the camera in the room where the password is entered.
- Installing a keylogger on the computer of a person with access.
- Getting hired by the victim company to gain access to the account.
- No change of login credentials in case of employee turnover.
- Access granted to a dismissed employee is not revoked from the third-party applications that are authorized (i.e. Buffer or other apps used to post social media content).
- Exploitation of vulnerabilities in X that increase privileges, allow session riding, or enable information disclosure.
- Sim swap fraud.
There are even crazier methods, close to science fiction, such as determining a password based on the sound made by the keys used for typing. Of course, there are easier and more difficult ones to make. There are more likely ones and less likely ones. Nevertheless, even though some of the threat scenarios may probably seem unlikely, they happen.
It’s worth looking at the number of reports handled by the X security team through their bug bounty program:
Even recently, another bug related to bypassing access control was reported to the X security team by wh01s7. However, it turned out to be already reported.
It is possible to get a job in a company just to gather more information, and it is possible to take photos from a very long distance to read the card and personal details of an employee on a break. These are practices that have been operating in the criminal world for a long time.
When the entry barrier is low and the reward is high - it gets dangerous.
More security measures to protect X account
Fortunately, it is possible to mitigate threats and reduce the risk. The basic thing will be to enable 2FA and prevent the sim swap attack that has become so popular recently. This alone will significantly reduce the attacker's possibilities.
There are many more things that can be done to enhance X account security. Most of them can be divided into those for individuals and those for organizations.
Methods to protect against account takeover for individuals:
- Protect from sim swap hack. Use the methods described in detail in our article.
- Check regularly e-mail data leaks. Sites like haveibeenpwned allow users to check if an email address is in a data breach.
- Check regularly connected 3rd party apps, devices and sessions that have access to X account.
- Check regularly delegated access to X account.
- Use a password manager and strong passwords.
- Update software. Use the current versions of applications because they also frequently contain patches for detected security vulnerabilities.
- Check apps’ required permissions and the creator. Pay attention to what the application can do. Make sure it's created by a verified, security-minded provider.
- Don't leave your phone/laptop unlocked. Set a short time for automatic screen dimming and automatic lock. Set additional authorization for key applications.
Methods to protect against account takeover for organizations:
- Limit the number of people who have access to X project's account.
- Add access, don't share credentials. It is much easier to determine the cause when the accesses are separated from each other. If possible, it is worth granting access to know exactly who is currently performing operations on behalf of the profile.
- Create internal policies. Introduce regular checks and instructions with predefined rules and required secure configuration. Make someone responsible for keeping it up to date.
- Grant the minimum necessary permissions. Most applications already contain granular permission levels. Giving an administrator is not the best idea when, for example, a campaign manager is enough.
- Grant access for a specified time if possible. Extend it if it is still required. This way you won't forget to take away someone's access.
- Use a designated number. If registration requires a number, do not use the first one that is known to many people. Create a new number and use it for this purpose only.
- Educate employees. Make sure that people who may be targeted by such an attack are aware of it. Conduct training or provide appropriate materials.
- Educate users. Run awareness campaigns for users. If you never airdrop tokens, remind them about it from time to time. Present showcases of scams and explain them.
Want to increase the security of your organization?
There are multiple threat scenarios that projects should be aware of to protect their organization's security.
Let's engage in a conversation about security. Share details about your current security strategies and measures. This will enable us to provide professional advice on potential enhancements and additional actions that could be beneficial for your security framework.
- Ready to increase your security? Say HI to us!
Composable Security 🇵🇱⛓️ is a small team with a holistic approach that goes beyond the code. A combination of expertize in Solidity smart contract security and experience gained through 6+ years securing global fintechs and Polish banks help comprehensively take care of DApp security. Learn more about us.
Creators of the Smart Contract Security Verification Standard and the first Security Guide for DApps CTOs, Lead Developers, and Security Enthusiasts.
About the author
Co-author of SCSVS and White Hat. Professionally dealing with security since 2017 and since 2019 contributing to the crypto space. Big DeFi fan and smart contract security researcher.