SMS VULNERABILITY —

Tweeting with SMS can open door to hacks on your Twitter account (updated)

Twitter has known of vulnerability since August, hasn't patched it.

Twitter users who use their phone's text messaging to tweet are susceptible to an exploit that allows attackers to make unauthorized tweets and changes to the profile, a security researcher has warned.

The attack, according to a blog post published by researcher Jonathan Rudenberg, works so long as a Twitter account is configured to accept SMS messages and doesn't have a personal identification number set up. The added PIN protection isn't available in the US, he said. Attackers who know the phone number associated with an account can then make unauthorized tweets and a variety of profile changes by spoofing the number. The attack exploits the ease of spoofing the originating address of SMS messages.

"Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account," Rudenberg wrote. "The attacker only needs knowledge of the mobile number associated with a target's Twitter account. Messages can then be sent to Twitter with the source number spoofed."

Twitter officials didn't immediately respond to an e-mail seeking comment for this post.

Rudenberg said he notified Twitter of the vulnerability in August. A few weeks later, he said, Twitter representatives asked him not to publish his advisory until they fixed the issue. As of Monday, a fix had yet to be implemented. During the same interval, he said, he reported similar vulnerabilities in SMS features offered by Facebook and Venmo and both services fixed them.

Until Twitter patches the vulnerability, people should disable SMS messaging on their accounts, Rudenberg advised. Accounts that permit PINs should be configured to make use of them. The measure "requires every message to be prepended with a four-digit alphanumeric code," he said.

Update:

In an e-mail, Rudenberg wrote: "I just got an update from the Twitter security team, and they have fixed the vulnerability. Users that have activated their mobile number using the short code can't send messages to the long codes which mitigates the vulnerability. Users that use the long codes are vulnerable to spoofing, but can enable the PIN code feature." He said he doesn't know when the vulnerability was fixed.

In a blog post published Tuesday evening, Moxie Marlinspike, Twitter's Engineering Manager, Product Security wrote: "It has been misreported that US-based Twitter users are currently vulnerable to a spoofing attack because PIN protection is unavailable for them. By having a shortcode, PIN protection isn't necessary for US-based Twitter users, because they are not vulnerable to SMS spoofing. We only provide the option for PIN protection in cases where a user could have registered with a longcode that is susceptible to SMS spoofing."

Channel Ars Technica