Security Bits Logo no alpha channel

Security Bits — 23 December 2022 🎄

Feedback & Followups

  • 🇺🇸 Apple have released their opt-in new Advanced Data Protection for iCloud , but only in the US for now —…
  • LastPass have released more details regarding their ongoing investigation into their recent breach —…
    • Users are vulnerable to phishing attacks because of leaked personal details
    • Backups of users’ end-to-end encrypted vaults were leaked, so any user with a weak password needs to change all their passwords everywhere
    • LastPass’s custom file format stores some information like website names and URLs in the clear, so phishing attacks could be very believable
    • Secrets like passwords, private keys and secure notes have not been leaked

Deep Dive — Is Twitter’s New Blue Tick Account Verification?

TL;DR — nope, but the gold and grey ones might be, if we choose to take Twitter’s word for it.

Bart explained in Chit Chat Across the Pond #756 the meaning of verification and Twitter/Mastodon implementations.

Last time we recorded Twitter had promised they would be re-launching Twitter blue, that it would have some kind of human review, and that there would be options for validating corporations and government entities.

🇦🇺 🇨🇦 🇳🇿 🇬🇧 🇺🇸 Since then the service has officially launched in 5 countries (Australia, Canada, New Zealand, The UK, and the USA), and Twitter have updated their website with more details.

People who earned a blue tick when it meant something will get to keep the tick, but it will be marked as being a legacy tick. New people who pay for the tick won’t get the tick until a human has reviewed their account, and changing your username, display name, or profile picture will remove the tick again until the account is reviewed again.

However, Twitter are making no claims about validating the account, the only claim they make is that blue-tick accounts appear to be non-deceptive. They don’t give a detailed definition for what a deceptive account is other than saying accounts can’t show evidence of being misleading or of manipulating the platform, i.e. being some kind of malicious bot.

This is better than nothing, and a lot better than the utter failure that was the first for-purchase tick mark, but this is not account validation.

Twitter have also announced an initial test of a corporate account plan that does claim to offer verification but does not detail that verification in any way whatsoever. Verified companies will get a gold tick.

Similarly, government agencies, officials, elected representatives, and their staff will be able to get their accounts verified in some unspecified way to earn a grey tick.

The level of confidence you should assign the gold and grey ticks is based purely on your assessment of Twitter’s competence as an organisation, they have provided zero detail to help us make an informed judgment. Time will have to tell I guess — if we hear stories of fakes with ticks we’ll no it failed, if we don’t, we can assume the system works.


❗ Action Alerts

Worthy Warnings

Notable News

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top