14 DAY TRIAL // Twitter acted fast a few days ago when it was notified of the existence of a Cross-Site Request Forgery (CSRF) vulnerability that plagued the social network’s “add mobile device” feature.
This feature allows users to control their accounts via SMS. The security hole could have been leveraged to gain access to any user’s direct messages and post tweets from any account.
The issue was discovered by security researcher Henry Hoggard on November 3, and it was fixed by Twitter on the same day.
According to the expert, hackers could have exploited the vulnerability by using a CSRF webpage to add their own mobile phone number to the victim’s account.
“Although the page does provide an authenticity token aimed at preventing CSRF, it does not seem to validate that the token is correct, and therefore, we can enter any value,” Hoggard explained in a blog post.
Once the attacker added his own phone number, he could have abused all of Twitter’s SMS commands.
Additional technical details on this Twitter CSRF vulnerability are available on the researcher’s blog.