By Aaron Miller-
A Twitter security flaw paving the way for ignoble hackers to post unauthorised tweets via text messaging has been exposed. British cybersecurity firm Insinia confirmed the existence of the ultra malicious bug by demonstrating its existence by hijacking the accounts of celebrities’ accounts.
It was a mischievous experiment, but proved the ease with which this security breach can be abused. The company succeeded in posting tweets disguised to have been sent from other people, without having to enter their passwords by spoofing their mobile numbers. It’s easy to forget the feature if you have data and a smartphone, but Twitter still allows you to tweet via SMS. You simply have to link your digits to your account and then text what you want to post to a number Twitter designated for your country and carrier.
The stinging revelations add to the mounting pressure on twitter to develop advanced and sophisticated techniques to safeguard the privacy of their users online. Twitter hijacking can lead to devastating consequences, especially if the hacker post a message detrimental to the true owner of the account, causing irreparable damage. Twitter’s vulnerabilities to external attack is disquieting reality twitter users will struggle to come to terms with.
A Twitter spokesperson admitted to The Guardian that the bug “allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” It’s not entirely clear what makes certain accounts susceptible to the bug, but as Gizmodo explains, Insinia was able to send out unauthorized tweets using “longcodes.” See, Twitter uses two kinds of numbers for tweeting via SMS: longcodes and shortcodes. The former looks like a typical phone number, while the latter is just three to five digits. It’s different for every country and, sometimes, every carrier — the USA uses a shortcode (40404), for instance, while the UK uses both shortcodes and a longcode (+447624800379).
A spokesperson from twitter announced that the social network had “resolved the bug,” however Insinia said it was able to hijack accounts even after Twitter claimed that it rolled out a fix. While hackers won’t be able to access DMs or personal details by exploiting this particular flaw, Insinia chief Mike Godfrey said his company conducted the experiment to show how text messaging should not be used to verify people’s identities.
“We should not be using 50-year old technology,” he explained. “It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes.”
Godfrey was also hoping that putting a spotlight on the issue would compel Twitter to issue a solution, seeing as this problem could be going on for a few years now. As Gizmodo noted, Twitter admitted that it suffered from an SMS spoofing vulnerability way back in 2012. This appears to be a replica of the same bug, or at least a very similar one. If you’re in the US, though, you might not have to worry about randos tweeting for you: the company’s spokesperson said Twitter doesn’t “believe there is any significant risk to US-based account holders.”