Despite numerous claims online, the Metropolitan Police service wasn’t the victim of a direct hack but instead was rather careless with its permissions, according to one security expert.
Some very out-of-character messages were shared from the official @metpoliceuk Twitter account this month, leading many to think it had become the latest hack victim. A series of bizarre, often expletive-ridden messages were sent out to the account’s audience of over 1 million on the night of 19 July. What’s more, the Met was using the third-party app Mynewsdesk to syndicate any updates, so its tweets would automatically be pulled through to the website and even be sent out via email to those who had registered for updates.
This was what led many people (not unreasonably) to the conclusion that hackers had accessed the Met Police system and were using it to post their updates directly.
However, it seems the Met itself wasn’t at fault, but instead the third-party app Mynewsdesk. Either hackers had gained access to the system through a vulnerability, or had managed to decipher the password – and in doing so secured themselves access to the Met account.
Whilst the Met Police can be relieved that its systems weren’t directly hacked, the issue does highlight the importance of properly vetting all external applications, companies or services before granting any access rights.
Security expert Graham Cluley certainly had sympathy for the Met Police, as he had experienced almost the exact same issue. Two years ago, his own Twitter account (itself with over 87,000 followers) began spouting Nazi messages in Turkish. However, just as with the Met, it wasn’t Cluley’s actual Twitter account that had been hijacked, but that of a third-party app to which he’d given certain permissions.
“I can certainly sympathise” he wrote, “[but] whenever you give a third-party service permission to access your Twitter account, website, or mailing list you are placing trust in their ability to act responsibly with that power, and only allow authorised users to use it.”