A researcher has found that an SMS flaw exposes Twitter users to hijackers who get a hold of their mobile numbers. With just a mobile number, these hijackers can change profile data and post messages using a victim’s Twitter account, according to Jonathan Rudenberg, a security researcher.
Twitter Users Vulnerable to Account Hijacking
In a blog post, Rudenberg states that Twitter users who have registered their mobile phone numbers and enabled SMS posting should immediately disable the feature until the security flaw is fixed. They can do this by changing their settings and removing their numbers; if they don’t take action, they remain vulnerable to account hijacking.
Rudenberg explains that a hijacker is able to use an account by “spoofing” a source number as the mobile phone number of Twitter user. He adds that since a lot of SMS gateways permit a message’s origin address to be linked with any “random” identifier, this address should not be trusted.
Security Mechanism Not Available to All
Notably, Twitter has a mechanism that can stop a hijacking attack; on the other hand, it is not available to all users, those who are residing in the United States, in particular. In places where the mechanism is possible, users can designate a four-digit PIN. This PIN is then attached to every SMS message, verifying that it is the actual owner of the Twitter account who is sending the posts.
Rudenberg says that unless this feature is possible, a user should disable SMS posting until the social network addresses this security problem.
Twitter Fixes Security Flaw
Rudenberg shares that he notified Twitter about the SMS flaw on August 17. He was asked by the network to keep the matter private until the flaw was fixed. On October 15, the researcher asked for a response from Twitter, but got nothing. He then told the network that his findings would be published on November 28.
After the publication of Rudenberg’s findings, Twitter notified the researcher that their security flaw has been fixed. The question of “when” it was fixed remains unclear, however.
Similarly, Facebook and Venmeo, a mobile payment service, were found to have the same security flaw. Rudenberg tells that after he found and reported the matter to the companies, the problem was fixed immediately and consequently, making payments through SMS was disabled.