There is a vulnerability cyber criminals can take advantage of to attack Twitter users.
An attacker only needs to know the mobile phone number associated with the target’s Twitter account, said security researcher Jonathan Rudenberg. Twitter said it addressed the vulnerability.
Under the assumption the victim has enabled the SMS service and assuming a PIN code is not set, the attacker can publish posts on their accounts by sending messages from a spoofed number.
There are SMS gateways allow for the sender’s address to be set to an arbitrary identifier, Rudenberg said. Similar to email messages, an attacker can spoof the number to make it look like it comes from a specific number.
“All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info,” Rudenberg said.
Rudenberg said Facebook and Venmo also suffer from the issue, but they addressed the bug after he had reported the flaw to their security teams. Twitter received notice August 17 and just now addressed the vulnerability.
Facebook patched the vulnerability November 28 and Venmo December 1. Venmo received notice November 29, Rudenberg said.
These types of vulnerabilities don’t affect just social media platforms, but other services as well, said Bogdan Alecu, a Romanian researcher that specializes in mobile security.
“The first time I joined Twitter I noticed there was possible to send tweets via text messages and my first though was ‘Well this is something that could be exploited by spoofing the sender.’ However I haven’t tried to see if this actually works,” he said.
“The problem is not only with Twitter, but also with other services (even banks) that authenticate the user based only on the phone number. It’s like just knowing someone’s username, no password needed, while in this case it’s even easier as people do not consider their phone number as something private.”