Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Twitter fixes SMS-based account hijacking vulnerability

Lucian Constantin | Dec. 5, 2012
Twitter has restricted the ability of attackers to post tweets and perform other actions on behalf of many users who have phone numbers associated with their accounts, but some users need to enable a PIN option in order to be protected.

However, it turns out that Twitter's fix does not automatically protect all users. Rudenberg was still able to demonstrate the vulnerability on a test account after Twitter said the vulnerability was addressed.

Twitter made changes that prevent users with phone numbers from mobile operators for which the company has a short code, to send commands through the long codes. This blocks the spoofing attack for a lot of users.

However, there are many mobile operators for which Twitter doesn't have a short code available. Users with phone numbers from those operators are allowed to send SMS commands through long codes. Those users can only associate their phone numbers with their accounts by using the long-code based process and not through the Twitter website.

Bogdan Alecu, an independent mobile security researcher, confirmed that users who are forced to use long codes are still vulnerable to account hijacking attacks via SMS spoofing.

Alecu performed a test using a phone number from an operator for which Twitter doesn't have a short code available. Sending an SMS with a spoofed origin through an SMS spoofing service doesn't cost more than 7 euro cents in Europe, he said.

"Users that use the long codes are vulnerable to spoofing, but can enable the PIN code feature," Rudenberg said Tuesday via email.

Twitter offers an option for every SMS command to be authenticated with a PIN. The option can be turned on and the PIN can be configured in the mobile section of the account settings on the Twitter website.

Rudenberg believes that hundreds of thousands of early Twitter users might have used the SMS feature, but never removed their phone numbers from their accounts when they later bought smartphones and started using Twitter's mobile apps.

"I also know a few people who use this feature for various reasons," he said. "I think that there are countries where smartphones don't have very high penetration that have users of this feature."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.