Late on Friday night, some rather out-of-character tweets seemed to be coming out of New Scotland Yard.
The Twitter account of London’s Metropolitan Police (@metpoliceuk) broadcast to its more than one million followers a series of bizarre and sometimes offensive messages:
What’s more, the tweets pointed to suspect content in the news release section of the official Met Police website:
And emails were sent to people who had signed-up for notifications about news releases:
All very juvenile stuff…
Thankfully, Met Police Superintendent Roy Smith took to Twitter to confirm that this wasn’t New Scotland Yard trying to be “down with the kids”, and the account was reasonably swiftly brought back under control.
We are aware that the @metpoliceuk has been subject to unauthorised access and our media team are working hard to delete the messages and ensure the security of the account. Please ignore any Tweets until we verify that it is back under official control. RT
— Chief Supt Roy Smith (@roysmithpolice) July 19, 2019
My guess is that the nature of the links posted by whoever was behind the attack, and the content that some of them linked to (which appeared to doxx an individual) might well point the authorities in the direction of those who might be responsible.
Someone, however, hadn’t guessed the password to the Met Police’s Twitter account or hacked into its website.
You see, as they later confirmed, the Met Police had been using a service called Mynewsdesk that is supposed to make it simple to create a piece of content (such as a press release), and then automatically update your website and social media outlets, and send an email notification to mailing list subscribers.
It was Mynewsdesk that updated the Met Police’s Twitter account, and posted the bizarre messages on the Met Police’s website. The Met Police’s own systems had not been hacked.
And the Met Police’s news section is only really the Met Police’s website in name. It’s actually hosted on Mynewsdesk infrastructure:
So someone, somehow, managed to hijack control of the Met Police’s Mynewsdesk account. And that’s why the tweets got posted, and that’s why the emails were sent, and that’s why the Met Police’s website was updated.
Whether the Mynewsdesk account was compromised because of a common reason like password reuse or the phishing of credentials feels most likely but it’s also possible that there was a vulnerability in Mynewsdesk which allowed a hacker to gain access.
I can certainly sympathise with the Met Police if the problem was entirely at Mynewsdesk’s end. Two years ago my personal Twitter account began to post some pretty bizarre messages after a third party app I had linked was compromised by a hacker.
Whenever you give a third-party service permission to access your Twitter account, website, or mailing list you are placing trust in their ability to act responsibly with that power, and only allow authorised users to use it.
For more discussion on this topic be sure to listen to this episode of the “Smashing Security” podcast: