"GodMode" lets Twitter engineers tweet from any account - report

[Jan]

Twitter engineers can use "GodMode" to tweet from any account — Whistleblower

A second former Twitter employee has come forward and raised concerns about security policies at the social media platform, The Washington Post reports.

The whistleblower, a former Twitter engineer, has reportedly spoken with the US Congress and Federal Trade Commission (FTC) about a dodgy internal program called "privileged mode".

 

[My_King]

Funny that it was not raised when they were working there.

Really sounds like "It is OK when we do it"

 

[Grubscrew]

Explains some of the trump tweets.

 

[Sinbad]

Explains some of the trump tweets.

No.... no.... I think Trump explains all of the Trump tweets...

 

[Itsa Trap]

Next Elon twit poll will be "should we rename God mode to Elon mode".

 

[ShaunSA]

The US Congress is wasting time investigating a dead app?

First World problems

 

[backstreetboy]

Probably an atheist that came up with that name.

 

[SilverCode]

Previously called “GodMode”, it allegedly allows Twitter’s engineers to post tweets from any user’s account.

The whistleblower claimed it requires access to a production computer and changing one piece of code from “FALSE” to “TRUE”.

Wait until they learn that the Engineers also have access to a feature called "source code", which would allow them to do absolutely anything they wanted.

Or a thing called "the database" where they could modify tweets without anyone knowing.

Seriously, having a "god mode" is a common thing in software where you may need to impersonate a user to figure out exactly what is happening when that user does something and why it is breaking. It allows you to reproduce the problem the user is having to try and fix it.

Normally access to this "feature" is hard coded and only a very small subset of engineers have access to it, which it sounds like is the case here if they need to change the source code on production in order to access it.

 

[longboy]

Wait until they learn that the Engineers also have access to a feature called "source code", which would allow them to do absolutely anything they wanted.

Or a thing called "the database" where they could modify tweets without anyone knowing.

Seriously, having a "god mode" is a common thing in software where you may need to impersonate a user to figure out exactly what is happening when that user does something and why it is breaking. It allows you to reproduce the problem the user is having to try and fix it.

Normally access to this "feature" is hard coded and only a very small subset of engineers have access to it, which it sounds like is the case here if they need to change the source code on production in order to access it.

Seems more like a security/clearance issue. Not everybody should have access to priviledged features.

 

[PsyWulf]

sudo su
rm -rf *

 

[r00igev@@r]

Wonder what Vlan was checking up when he brought all the engineers over to the sink on the weekend.

 

[Blackhand]

Wait until they learn that the Engineers also have access to a feature called "source code", which would allow them to do absolutely anything they wanted.

Or a thing called "the database" where they could modify tweets without anyone knowing.

Seriously, having a "god mode" is a common thing in software where you may need to impersonate a user to figure out exactly what is happening when that user does something and why it is breaking. It allows you to reproduce the problem the user is having to try and fix it.

Normally access to this "feature" is hard coded and only a very small subset of engineers have access to it, which it sounds like is the case here if they need to change the source code on production in order to access it.

Exactly. On the face of it, it doesn't sound unusual. Impersonation is useful for debugging (seeing what the account sees) and can help to eliminate the big time waster that is trying to replicate an issue. However, access to impersonation is supposed to be very limited or completely disabled in production. It's all about how they are managing this.

 

[Gnome]

Wait until they learn that the Engineers also have access to a feature called "source code", which would allow them to do absolutely anything they wanted.

Or a thing called "the database" where they could modify tweets without anyone knowing.

Seriously, having a "god mode" is a common thing in software where you may need to impersonate a user to figure out exactly what is happening when that user does something and why it is breaking. It allows you to reproduce the problem the user is having to try and fix it.

Normally access to this "feature" is hard coded and only a very small subset of engineers have access to it, which it sounds like is the case here if they need to change the source code on production in order to access it.

I work at a pretty substantial company, much bigger than twitter (both the product and the company I guess you could say)
If I log into a production machine it sets off alarms to the security org and up my management chain.
Ditto for databases.

I have source code access but any commit that doesn't have a ship-it from other engineers is auto blocked.
You can skip that block but it sets off alarms to the security org and up my management chain.

Once I log in, every action is logged and the entire transcript is available and has to be review by my manager who then has to give his seal of approval.
Then it goes to my snr. manager, then my director, then the VP.
The approvals they give are legally binding so they actually ask you about everything you did on that transcript.

If any source code I have tries to access the internet or anything but other production system or production accounts with the same level of access control
Sets off alarms, everyone gets notified, etc. etc. etc.

I get background checks done on me every 6 months, my finger prints are taken every 6 months.
I need FIPS approved hardware.

TL;DR, nobody logs into these machines or does any of these actions unless we are in the middle of a large scale event.
Frankly I see our security as not strict enough, doing less than that is just inexcusable for a company like Twitter

It doesn't prevent you from taking those actions, it just makes it damn obvious to everyone that you did it and puts the onus on you to justify it; which btw. is easy for the right reasons

 

[system32]

sudo su
rm -rf *

sudo su
rm -rf /*

 

[TelkomUseless]

 

[MagNorthDigital]

Probably an atheist that came up with that name.

god mode is common terminology in games and the game making process. Has nothing to do with religion. Should have called it superuser mode. But then again, this is twitter we're talking about... Not exactly a groundbreaking platform or audience.

 

[Moto Guzzi]

Wait until they learn that the Engineers also have access to a feature called "source code", which would allow them to do absolutely anything they wanted.

Or a thing called "the database" where they could modify tweets without anyone knowing.

Seriously, having a "god mode" is a common thing in software where you may need to impersonate a user to figure out exactly what is happening when that user does something and why it is breaking. It allows you to reproduce the problem the user is having to try and fix it.

Normally access to this "feature" is hard coded and only a very small subset of engineers have access to it, which it sounds like is the case here if they need to change the source code on production in order to access it.

How does this aply to "Digital Money" practices-?

 

[now05ster]

I get background checks done on me every 6 months, my finger prints are taken every 6 months.
I need FIPS approved hardware.

And these are possibly just the checks that you are aware of. /Tinfoil hat.

 

[grok]

They probably also lied about the number of bot accounts..

 

[Cray]

Probably an atheist that came up with that name.

Or you know, any developer at Twitter who's ever played Doom with cheats.