Additional explanations from the company's representatives and independent researchers
Twitter has issued a statement to provide more details on the SMS spoofing vulnerability disclosed a couple of days ago by security researcher Jonathan Rudenberg.Twitter representatives highlight the fact that users who interacted over the SMS channel using a short code to post tweets were not vulnerable to these types of attacks. This category includes customers from the US who utilize the 40404 short code.
According to Moxie Marlinspike, engineering manager of product security at Twitter, it’s not possible to send SMS messages with a fake source to short codes because of the way the system works.
The PIN protection instated by Twitter since 2007 is to protect users who rely on the long codes, which are just like normal phone numbers that can be easily spoofed. However, customers who rely on short codes don’t need this extra security feature because they’re protected by default.
Marlinspike reveals that Twitter has disallowed users that have an available short code from posting through long codes.
On the other hand, those who have to use the long codes are still vulnerable to these attacks, but they can stay safe by enabling the PIN protection.
However, independent security researcher Bogdan Alecu – who has performed his own tests over the past couple of days – explains that the use of short codes or long codes doesn’t depend on the country, but on the mobile operator.
He reveals that, for instance, in Romania some operators have allocated short codes, but others haven’t. On the networks of companies who have short codes, the spoofing attacks don’t work, but if the carrier allows messages to be sent only to long codes, an attacker can leverage this method to post on a user’s behalf.