In recent weeks, several celebrities have deactivated their accounts citing harassment. These high profile deactivations are usually followed by follower or media commentary discussing the departure on public sources. On Thursday, Chrissy Teigen became the latest and most famous of these departures:
Unfortunately for those users who want to maintain confidentiality of their direct messages and private profile information, the design of Twitter’s deactivation process potentially weakens the security of their data for a 30 day window.
When a Twitter user deactivates their account, all two-factor authentication on that account is immediately disabled. Two-factor authentication (or 2FA, also called multi-factor authentication or two-step verification) is an essential security measure to ensure that only users can access an online account. This article “Two-Factor Authentication for Beginner” by Martin Shelton is a great explainer about how using authentication applications, security keys, or even SMS codes help users to prove who they are not just with a password but with “something they have” such as their cell phone or a hardware key.
So what’s the big deal? Won’t Twitter just delete the account?
Well, as someone who has deactivated to avoid the timesink of social media, I can tell you that they won’t. (Note: at least not for normal accounts — I haven’t bothered any of my blue checkmark friends as they are busy doing whatever earns you a blue checkmark. Feel free to try it and report back.)
When a user deactivates their account, Twitter will start a 30-day reactivation window where the profile will show as inactive (see above screenshot) but all of the user’s data, messages, and followers can be restored by simply re-logging in to the user’s account. So during that month, the account can be taken over by an attacker that only has the password and username.
Beyond high profile deactivations, an attacker monitoring “deactivated AND Twitter” or simply “deactivated” on Tweetdeck or other social monitoring tool can easily gather a number of recently deactivated user accounts from the past 30 days. In my testing of multiple accounts that I have registered, those accounts are guaranteed to have 2FA disabled.
What does Twitter say?
I submitted a report to Twitter’s Bug Bounty program to inform them of this issue. Their response: “We appreciate your suggestion and may look into making this change in the future, but at the moment, we consider this to be a Defense-In-Depth measure, rather than a vulnerability in Twitter software.”
I actually don’t disagree. It feels that this vulnerability is a design decision to create an obstacle for users wanting to deactivate their account. Certainly, a 30 day cool down period is seen as a feature that benefits users who just want a vacation or change their minds but don’t want to lose all of their messages and followers. But why would a user with 2FA enabled want to have their data, DMs, contacts, etc. to lose that protection for a month? I actually ended up reactivating my account because I felt exposed, so good job Twitter: the friction in the departure process worked.
OK, but how exactly does this work?
When a regular Twitter.com user (again, I don’t have the ability to reproduce the flaw for verified or VIP accounts like Teigen’s) deactivates their account, any 2FA on that account is immediately disabled.
Twitter sends the user an email about 2FA being disabled to the user’s associated email account. Even if they notice the email, they can’t turn 2FA back on because they would need to login, except when the user tries to login, the only way they can access the account settings requires them to reactivate! If a user repeats this process enough times, Twitter starts to resemble the World’s Most Useless Machine.
What are the steps to reproduce this behavior?
- A user (with or without 2FA-enabled) decides to leave Twitter and deactivates their account.
- If 2FA protection was turned on, this protection is automatically turned off. Note: They will receive an email that this extra protection was turned off, but the user has no way to turn back on.
- Beyond going after the data of a high profile user like Chrissy Teigen whose deactivation is newsworthy, an attacker can just use Tweetdeck to look for people announcing to the world that they are leaving, since no one realizes Twitter “is not an airport and you don’t have to announce departure”, as the trolls say. Given Twitter’s lack of safety from mob harassment, people who are suddenly the target of waves of harassment also tend to deactivate their account.
- User cannot turn on 2FA unless the account is reactivated which would prevent their ability from leaving the site. (Note: if you do decide to reactivate, you have to go through the entire process of re-enabling 2FA again!)
- An attacker logs in to the account with the Twitter ID and the user’s password obtained at some earlier point via a range of methods. Brute force? Guessing? Past data breaches? Phishing? Social engineering from someone impersonating a VP from Twitter? From a jilted ex-lover or a pissed-off former assistant? While obtaining the password is non-trivial, it’s not as difficult as one might expect given the number of ways to do it.
How bad is this design flaw?
Twitter’s automatic disabling of strong authentication “by design” reduces protection against an attacker wanting to gain access to and download a former user’s private information or impersonate the user to others. Impersonation is a possibility after 30 days when the Twitter ID becomes available to the world, but the new account would start from scratch: no blue check mark, no million followers, and no direct messages.
The attack likelihood is minimized by the obvious need to have the user’s password. It’s possible that some folks will immediately realize that their account or their friend’s account was taken over, but an attacker could quickly export all account data before Twitter responds to anyone’s complaints.
Given that users who deactivate may be doing so as the result of being harassed on the platform, this is an unethical reduction in protection for a former user’s (but still active data subject of Twitter) confidential information. As it seems to be impossible for a user account to be deactivated with 2FA protection for the 30 day deactivation retention period, the lack of mitigating options for the user create a harmful “dark pattern” that removes their autonomy over data protection from the user.
So, users are essentially given two choices by Twitter…
- Reactivate, or
- We leave your data in the garbage for the next 30 days.
I actually ended up reactivating my account because I felt exposed, so good job Twitter: the friction in the departure process worked.
What should I do about it?
Until there’s a change, if you are concerned about the confidentiality of your user information after you deactivate, I would not deactivate your account.
If you just want to take a break while keeping 2FA on your account:
- Make sure you have 2FA enabled.
- Change your password to something long, strong, and something you have never used before. “What’s a strong password?” you ask. The Electronic Frontier Foundation can help explain that: https://ssd.eff.org/en/module/creating-strong-passwords. This will also force anyone that has your account open on their device to be logged out.
- Leave a tweet saying that you no longer monitor the account.
- Set your profile to Protected to avoid new people from digging through your past public content (existing followers still can!).
- Turn off your account’s notifications.
- Revoke 3rd party application access: https://help.twitter.com/en/managing-your-account/connect-or-revoke-access-to-third-party-apps
- Delete the app from your phone.
If you are sure you want to delete your account for good:
- Remove past public content and direct messages using Micah Lee’s Semiphemeral: https://semiphemeral.com
- Do steps 1 through 7 from the above section.
- At a future point when you feel that the likelihood of being targeted by an attacker has decreased, quietly deactivate your account.