If you use Twitter and have your account set up to tweet via SMS, this story will likely be of particular interest to you. A new vulnerability has been revealed that allows an attacker to post directly to an account so long as they know the mobile number associated with said Twitter account.
A team of researchers recently posted about the vulnerability that not only affected Twitter users, but Facebook and Venmo customers as well. The group noted in a blog post that the two latter companies have since resolved the issue after it was disclosed to their respective security teams.
The problem is that the originating address of a SMS cannot be trusted, just like with email. This means an attacker can spoof the source number sent to Twitter granted you haven’t set a PIN code first. All of the Twitter SMS commands can be used by a third party such as posting tweets and even modifying profile information. The vulnerability isn’t limited to a particular service provider, either.
The team suggests that until Twitter removes the ability to post via non-short code numbers, users should either disable posting from SMS or enable the PIN code if available in your region. The PIN code feature requires the user to enter a four digit alphanumeric code each time a tweet is submitted. We’re told it’s not available to users within the US, however.
Interestingly enough, the disclosure timeline given in the blog post doesn’t paint a pretty picture for Twitter. Facebook took just over three months to fix the issue and even providing a bounty (monetary reward starting at a minimum of $500) for the tip. Venmo responded promptly and fixed the issue within a day.
Twitter, on the other hand, was first notified about the issue on August 17. They asked the group on September 6 not to publish their findings until the issue was fixed. No further update was given from Twitter even after being notified that the issue would be publically disclosed.