UK Markets closed

Decade-old flaw in Twitter allows hackers to spread ISIS propaganda using old accounts, report claims

Hannah Boland
Between January and June, Twitter suspended a total of 205,156 accounts which had violated its policy prohibiting the promotion of terrorism - REUTERS

Terrorists are allegedly exploiting a decade-old vulnerability in Twitter's systems to hijack dormant accounts and spread propaganda online.

According to TechCrunch, there has been a resurgence in the number of accounts being hacked in recent weeks, many of which had been inactive for years.

The hackers are reportedly using the fact that, prior to this summer, those opening an account with Twitter did not need to confirm their email addresses, meaning there are a number of accounts on the platform not linked to real email addresses or expired addresses.

This allows hackers to then create the email address, and so gain access to the attached account.

Security experts said this issue was "all too well known", but that it was hard for Twitter to manage the problem.

"Twitter could expire accounts after a certain period of dormancy, but legacy accounts that were created without real associated emails will be vulnerable to this sort of hijack," said Robert Pritchard, the former cyber-security researcher at GCHQ and founder of The Cyber Security Expert.

Alan Woodward, a computer scientist from the University of Surrey, agreed that "there has been some evidence of this before but it’s difficult to see how you stop it unless you disable any Twitter account that has been inactive for more than a certain period".

"When the accounts are set up with common email services they can be effectively taken over."

TechCrunch said it had been alerted to a number of the hijacked accounts by a security researcher known as WauchulaGhost.

The site said those accounts had been spreading propaganda, including videos of Islamic State fighters and messages supporting violence, such as one said to have read: "With your cars, let’s go pack, you bomb, go with a bomb, you go in any way." Many of the accounts have since been deleted, it added.

WauchulaGhost said: "A lot of these older dormant accounts never created the email they have listed on the account. All someone has to do is create it and take over the account. At the moment Islamic State is using this flaw to spread their propaganda."

Twitter had signalled it was aware of the issue in June, introducing the requirement for new accounts to be confirmed with either email addresses or phone numbers.

"This is an important change to defend against people who try to take advantage of our openness," Twitter had said at the time.

Between January and June, it had suspended a total of 205,156 accounts which had violated its policy prohibiting the promotion of terrorism. 

Following the report on Wednesday, a spokesman for Twitter said: "Reusing email addresses in this manner is not a new issue for Twitter or other online services. For our part, our teams are aware and are working to identify solutions that can help keep Twitter accounts safe and secure."