It is so important to critically examine and limit the blast radius of administrative actions. This is both from a vulnerability perspective as well as honest human mistakes.
For certain actions like taking over an account and impersonation there should be rate limits all around. Overriding them requires a break glass process where multiple people may have to approve (or even just acknowledge that it is happening).
Social engineering happens. It can happen to the best of us who hold the keys to the kingdom. The goal is that no one individual can completely break all the barriers. They need a bit of help, time, or both.
Really Qualitty suggestion. Do you have any recommended document / link where one could study how to do this? (blast radius in production). Would be really glad.
Twitter can probably afford to have all account actions to verified accounts be behind break-glass procedures and hire dedicated people to do nothing but watch and audit that.
It is so important to critically examine and limit the blast radius of administrative actions. This is both from a vulnerability perspective as well as honest human mistakes.
For certain actions like taking over an account and impersonation there should be rate limits all around. Overriding them requires a break glass process where multiple people may have to approve (or even just acknowledge that it is happening).
Social engineering happens. It can happen to the best of us who hold the keys to the kingdom. The goal is that no one individual can completely break all the barriers. They need a bit of help, time, or both.