August 23, 2020
Recently, I discovered a simple yet suprisingly effective attack vector against Twitter accounts (and which likely applies to other platforms as well). This attack vector makes it easy to find and hack vulnerable accounts with login emails that are using expired domains. If a user creates a Twitter account with an email on their own domain, then forgets to renew their domain at some point, that account can be hijacked by registering the domain, forwarding all emails to your email, then submitting a password reset on that account. By itself, this is hardly an attack vector since finding such vulnerable accounts is the more important part, and we already know that owning someone's email is essentially a "game over" situation. This attack becomes more dangerous when you can combine it with an efficient method to find these vulnerable accounts quickly and at scale. As it turns out, this is trivial on Twitter for several reasons attributable to their platform design.
If you're familiar with Twitter, you know that users are given the option to add a public website url. With a simple script and proxy, an attacker can quickly iterate over millions of accounts and check if the domain in that url is not registered; this usually indicates some likelihood that the Twitter account was created with an email address on a now-expired domain. To verify this, they can submit a password reset which will show them a censored version of the account email address for confirmation; however, even though it's censored, it still provides enough information to check if the email domain matches the expired domain listed on their account profile. If it does, the attacker now knows this is an account that can be hacked. Once this entire process is automated, it makes finding these accounts very easy. This method of account hijacking is very likely being used right now by malicious hackers, and I believe it accounts for a large portion of stolen accounts/handles on the platform.
This attack can potentially be executed on other platforms besides Twitter, assuming one can find a similar discovery method. In Twitter's case, they could make it harder to discover these accounts by not showing any email confirmation upon requesting a password reset. This would make the process more costly for attackers who would no longer be able to verify whether an account can be hacked prior to registering the domain. Or perhaps, Twitter should monitor and unlist domains that are no longer registered and notify users when this happens so that they're aware. As for most users, in addition to turning on 2FA, it's important to be very cautious when using an email on your own domain to create accounts; it makes it much easier to lose access if you forget to renew or can't under certain extreme circumstances like incarceration or death.