Met Police “hack” not quite an open-and-shut case

Despite numerous claims online, the Metropolitan Police service wasn’t the victim of a direct hack but instead was rather careless with its permissions, according to one security expert.

Some very out-of-character messages were shared from the official @metpoliceuk Twitter account this month, leading many to think it had become the latest hack victim. A series of bizarre, often expletive-ridden messages were sent out to the account’s audience of over 1 million on the night of 19 July. What’s more, the Met was using the third-party app Mynewsdesk to syndicate any updates, so its tweets would automatically be pulled through to the website and even be sent out via email to those who had registered for updates.

This was what led many people (not unreasonably) to the conclusion that hackers had accessed the Met Police system and were using it to post their updates directly.

However, it seems the Met itself wasn’t at fault, but instead the third-party app Mynewsdesk. Either hackers had gained access to the system through a vulnerability, or had managed to decipher the password – and in doing so secured themselves access to the Met account.

Whilst the Met Police can be relieved that its systems weren’t directly hacked, the issue does highlight the importance of properly vetting all external applications, companies or services before granting any access rights.

Security expert Graham Cluley certainly had sympathy for the Met Police, as he had experienced almost the exact same issue. Two years ago, his own Twitter account (itself with over 87,000 followers) began spouting Nazi messages in Turkish. However, just as with the Met, it wasn’t Cluley’s actual Twitter account that had been hijacked, but that of a third-party app to which he’d given certain permissions.

“I can certainly sympathise” he wrote, “[but] whenever you give a third-party service permission to access your Twitter account, website, or mailing list you are placing trust in their ability to act responsibly with that power, and only allow authorised users to use it.”

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Met Police “hack” not quite an open-and-shut case

Categories

Horsham Office: 01293 871971 | London Office: 0203 763 3919 | IT Support: 01293 876000