Twitter security flaw uses text spoofing to hijack UK accounts

US accounts don't seem to be vulnerable to the bug.

Sponsored Links

Mariella Moon
December 30th, 2018

A Twitter security flaw gives hackers a way to post unauthorized tweets via text messaging, and British cybersecurity firm Insinia has proven its existence by hijacking some celebrities' accounts. The company was able to post tweets as other people without having to enter their passwords by spoofing their mobile numbers. It's easy to forget the feature if you have data and a smartphone, but Twitter still allows you to tweet via SMS. You simply have to link your digits to your account and then text what you want to post to a number Twitter designated for your country and carrier.

A Twitter spokesperson explained to The Guardian that the bug "allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing." It's not entirely clear what makes certain accounts susceptible to the bug, but as Gizmodo explains, Insinia was able to send out unauthorized tweets using "longcodes." See, Twitter uses two kinds of numbers for tweeting via SMS: longcodes and shortcodes. The former looks like a typical phone number, while the latter is just three to five digits. It's different for every country and, sometimes, every carrier -- the USA uses a shortcode (40404), for instance, while the UK uses both shortcodes and a longcode (+447624800379).

That spokesperson also announced that the social network already "resolved the bug," but Insinia said it was able to hijack accounts even after Twitter claimed that it rolled out a fix. While hackers won't be able to access DMs or personal details by exploiting this particular flaw, Insinia chief Mike Godfrey said his company conducted the experiment to show how text messaging should not be used to verify people's identities.

"We should not be using 50-year old technology," he explained. "It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes."

Godfrey was also hoping that putting a spotlight on the issue would compel Twitter to issue a solution, seeing as this problem could be going on for a few years now. As Gizmodo noted, Twitter admitted that it suffered from an SMS spoofing vulnerability way back in 2012. This seems to be the exact same bug, or at least a very similar one. If you're in the US, though, you might not have to worry about randos tweeting for you: the company's spokesperson said Twitter doesn't "believe there is any significant risk to US-based account holders."

Popular on Engadget