TechSpot means tech analysis and advice you can trust. Read our ethics statement.
If you use Twitter and have your account set up to tweet via SMS, this story will likely be of particular interest to you. A new vulnerability has been revealed that allows an attacker to post directly to an account so long as they know the mobile number associated with said Twitter account.
A team of researchers recently posted about the vulnerability that not only affected Twitter users, but Facebook and Venmo customers as well. The group noted in a blog post that the two latter companies have since resolved the issue after it was disclosed to their respective security teams.
The problem is that the originating address of a SMS cannot be trusted, just like with email. This means an attacker can spoof the source number sent to Twitter granted you haven't set a PIN code first. All of the Twitter SMS commands can be used by a third party such as posting tweets and even modifying profile information. The vulnerability isn't limited to a particular service provider, either.
The team suggests that until Twitter removes the ability to post via non-short code numbers, users should either disable posting from SMS or enable the PIN code if available in your region. The PIN code feature requires the user to enter a four digit alphanumeric code each time a tweet is submitted. We're told it's not available to users within the US, however.
Interestingly enough, the disclosure timeline given in the blog post doesn't paint a pretty picture for Twitter. Facebook took just over three months to fix the issue and even providing a bounty (monetary reward starting at a minimum of $500) for the tip. Venmo responded promptly and fixed the issue within a day.
Twitter, on the other hand, was first notified about the issue on August 17. They asked the group on September 6 not to publish their findings until the issue was fixed. No further update was given from Twitter even after being notified that the issue would be publically disclosed.