Twitter Users Vulnerable To SMS Spoofing Attack

Twitter vulnerability would allow attackers to post messages to targeted accounts. Similar flaw has already been addressed by Facebook and SMS payment provider Venmo.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
Twitter users are vulnerable to an attack that would allow anyone to post messages to their Twitter feed or alter their account settings, provided the attacker knew the mobile phone number associated with the targeted users account.
Messages can then be sent to Twitter with the source number spoofed, according to a
blog post
from security researcher Jonathan Rudenberg, who discovered the vulnerability. Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.
Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable, he said. Attackers would have full access to all
Twitter SMS commands
, including the ability to post tweets, reply to tweets, retweet messages, send direct messages to other Twitter users, and change the name and URL associated with a public profile.
Twitter has yet to fix the spoofing vulnerability, although Rudenberg said he
notified
Twitter of the flaw on August 17. The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team who did not believe that SMS spoofing was possible, said Rudenberg. I then reached out directly to someone on the security team who said that it was an old issue but that they did not want me to publish until they got a fix in place. I received no further communication from Twitter. After requesting an update in the middle of October, and hearing nothing further from Twitter, Rudenberg said he notified the company Wednesday that he would be publishing details of the vulnerability.
[ Can the government help improve security? Read
DARPA Looks For Backdoors, Malware In Tech Products
. ]
A spokesman for Twitter didnt immediately respond to an emailed request for comment about whether Twitter was working to fix the reported vulnerability, or when it might issue a fix or related security warning. But any Twitter user outside of the United States who has a mobile phone number associated with their account can mitigate the vulnerability by setting a PIN code on their Twitter
device settings
page. Until Twitter removes the ability to post via non-short code numbers, users should enable PIN codes (if available in their region) or disable the mobile text messaging feature, said Rudenberg.
After setting a PIN code, the code must be used to begin any SMS message sent to Twitter, or else the message will be discarded. This feature mitigates the issue, but is not available to users inside the United States, said Rudenberg.
According to Rudenberg, he discovered similar SMS spoofing vulnerabilities in both Facebook and the Venmo payment network, which was recently
acquired by Braintree
. Both of those sites, however, have addressed the issue.
Facebook took about three months to fix the spoofing flaw vulnerability, although the process wasnt flawless. Rudenberg said he received no response to the first bug report that he filed, on August 19, so he reached out to a friend on the engineering team. By November 28, he was told that the issue had been resolved. I will receive a bounty from Facebook for finding and reporting this issue to them, said Rudenberg. The Facebook bounty program requires responsible disclosure and time to resolve internally in good faith before publishing.
The award for fastest SMS spoofing vulnerability mitigation, however, goes to Braintree, which responded within 40 minutes of receiving Rudenbergs vulnerability notification. The following day, it informed him that the spoofing attack vulnerability had been mitigated by the site disabling users ability to
make payments via SMS
.
What type of fix might Twitter put in place to block SMS spoofing attacks? The most elegant solution would be to have telecommunications carriers provide a
SMS short code
for sending SMS messages to Twitter. In most cases, messages to short codes do not leave the carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways, Rudenberg said.
Twitter could also request verification for every SMS messages it receives. An alternative, less user-friendly but more secure solution is to require a challenge-response for every message, Rudenberg said. After receiving an SMS, the service would reply with a short alphanumeric string that needs to be repeated back before the message is processed.
Twitter account takeovers are far from unknown, although they can require some effort. Earlier this year, for example, to seize control of journalist Mat Honans Twitter feed, a
hacker named Phobia
employed social engineering attacks on Amazon and Apple customer service staff, which allowed him to get access to Honans Gmail account, which hed linked to his Twitter feed. At that point, Phobia was able to
take over Honans Twitter account
and post messages. While an attack using the SMS vulnerability wouldnt allow an attacker to seize full control of the account, it would be a much more direct way to post arbitrary messages to someone elses Twitter feed.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Twitter Users Vulnerable To SMS Spoofing Attack