Hackers Can Use Twitter SMS Vulnerability to Post on Users’ Behalves, Expert Finds (Updated)

The attack relies on spoofing the number from which the message originates

By on December 4th, 2012 13:37 GMT

Security researcher Jonathan Rudenberg has identified a vulnerability which can be leveraged by cybercriminals in attacks against Twitter users.

According to the expert, an attacker only needs to know the mobile phone number associated with the target’s Twitter account. Presuming that the victim has enabled the SMS service and presuming that a PIN code is not set, the attacker can publish posts on their accounts by sending messages from a spoofed number.

Rudenberg explains that many SMS gateways allow for the sender’s address to be set to an arbitrary identifier. Similar to email messages, an attacker can spoof the number to make it look like it comes from a specific number.

“All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info,” Rudenberg explained.

Rudenberg claims that Facebook and Venmo were also affected, but they addressed the bug after he had reported the flaw to their security teams. However, Twitter hasn’t addressed the issue, despite the fact that the company was notified on August 17.

Facebook patched the vulnerability on November 28 and Venmo on December 1. It’s worth noting that Venmo was only notified on November 29.

Bogdan Alecu, a Romanian researcher that specializes in mobile security, reveals that these types of vulnerabilities don’t affect just social media platforms, but other services as well.

“The first time I joined Twitter I noticed there was possible to send tweets via text messages and my first though was ‘Well this is something that could be exploited by spoofing the sender.’ However I haven't tried to see if this actually works,” he told Softpedia.

“The problem is not only with Twitter, but also with other services (even banks) that authenticate the user based only on the phone number. It's like just knowing someone's username, no password needed, while in this case it's even easier as people do not consider their phone number as something private.”

We've reached out to Twitter to see if they want to comment on the researcher's claims.

Update. According to Bogdan Alecu, Twitter might be working on addressing the vulnerability as we speak.

“The vulnerability that was exploited relies on the Twitter's long code number (a phone number with country code included). However, I just performed some tests and it seems they fixed the issue for the moment. I have tried at first to register my number by sending the START text to all of the long numbers available here,” he said.

“All of the text messages were sent (got the receipt confirmation) except for the number located in Finland. I then registered by using the short code available in my country. Everything went fine and I even was able to send a tweet,” he added.

“Twitter might be working as we speak to fix the vulnerability because even after registering, no tweets were sent when the long number was used.”

Update 2. Twitter has confirmed for Softpedia that the vulnerability has been addressed.

Update 3. Twitter has issued an official statement to detail this issue.

Comments

Expert finds Twitter SMS vulnerability
   Expert finds Twitter SMS vulnerability