Vulnerabilities / Threats
12/4/2012
09:23 AM
50%
50%

Twitter Users Vulnerable To SMS Spoofing Attack

Twitter vulnerability would allow attackers to post messages to targeted accounts. Similar flaw has already been addressed by Facebook and SMS payment provider Venmo.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Twitter users are vulnerable to an attack that would allow anyone to post messages to their Twitter feed or alter their account settings, provided the attacker knew the mobile phone number associated with the targeted user's account.

"Messages can then be sent to Twitter with the source number spoofed," according to a blog post from security researcher Jonathan Rudenberg, who discovered the vulnerability. "Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.

"Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable," he said. Attackers would have full access to all Twitter SMS commands, including the ability to post tweets, reply to tweets, retweet messages, send direct messages to other Twitter users, and change the name and URL associated with a public profile.

Twitter has yet to fix the spoofing vulnerability, although Rudenberg said he notified Twitter of the flaw on August 17. "The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team who did not believe that SMS spoofing was possible," said Rudenberg. "I then reached out directly to someone on the security team who said that it was an 'old issue' but that they did not want me to publish until they got 'a fix in place.' I received no further communication from Twitter." After requesting an update in the middle of October, and hearing nothing further from Twitter, Rudenberg said he notified the company Wednesday that he would be publishing details of the vulnerability.

[ Can the government help improve security? Read DARPA Looks For Backdoors, Malware In Tech Products. ]

A spokesman for Twitter didn't immediately respond to an emailed request for comment about whether Twitter was working to fix the reported vulnerability, or when it might issue a fix or related security warning. But any Twitter user outside of the United States who has a mobile phone number associated with their account can mitigate the vulnerability by setting a PIN code on their Twitter device settings page. "Until Twitter removes the ability to post via non-short code numbers, users should enable PIN codes (if available in their region) or disable the mobile text messaging feature," said Rudenberg.

After setting a PIN code, the code must be used to begin any SMS message sent to Twitter, or else the message will be discarded. "This feature mitigates the issue, but is not available to users inside the United States," said Rudenberg.

According to Rudenberg, he discovered similar SMS spoofing vulnerabilities in both Facebook and the Venmo payment network, which was recently acquired by Braintree. Both of those sites, however, have addressed the issue.

Facebook took about three months to fix the spoofing flaw vulnerability, although the process wasn't flawless. Rudenberg said he received no response to the first bug report that he filed, on August 19, so he reached out to a friend on the engineering team. By November 28, he was told that the issue had been resolved. "I will receive a bounty from Facebook for finding and reporting this issue to them," said Rudenberg. "The Facebook bounty program requires responsible disclosure and time to resolve internally in 'good faith' before publishing."

The award for fastest SMS spoofing vulnerability mitigation, however, goes to Braintree, which responded within 40 minutes of receiving Rudenberg's vulnerability notification. The following day, it informed him that the spoofing attack vulnerability had been mitigated by the site disabling users' ability to make payments via SMS.

What type of fix might Twitter put in place to block SMS spoofing attacks? The most elegant solution would be to have telecommunications carriers provide a SMS short code for sending SMS messages to Twitter. "In most cases, messages to short codes do not leave the carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways," Rudenberg said.

Twitter could also request verification for every SMS messages it receives. "An alternative, less user-friendly but more secure solution is to require a challenge-response for every message," Rudenberg said. "After receiving an SMS, the service would reply with a short alphanumeric string that needs to be repeated back before the message is processed."

Twitter account takeovers are far from unknown, although they can require some effort. Earlier this year, for example, to seize control of journalist Mat Honan's Twitter feed, a hacker named "Phobia" employed social engineering attacks on Amazon and Apple customer service staff, which allowed him to get access to Honan's Gmail account, which he'd linked to his Twitter feed. At that point, Phobia was able to take over Honan's Twitter account and post messages. While an attack using the SMS vulnerability wouldn't allow an attacker to seize full control of the account, it would be a much more direct way to post arbitrary messages to someone else's Twitter feed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:39:25 AM
re: Twitter Users Vulnerable To SMS Spoofing Attack
Twitter is not going to post this to the public especially with all the negative feedback in regards to security breeches in one form or another rot other major sites. Kind of funny how when pointing out a flaw in the system got routed to a normal support team member. From the various response form people at Twitter it does not really sound like anyone knows what is going on over there. I can not imagine that a hacked account could go that long with out the user noticing fairly quickly.

Paul Sprague
InformationWeek Contributor
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/5/2012 | 5:00:24 PM
re: Twitter Users Vulnerable To SMS Spoofing Attack
Twitter has now released a security bulletin outlining the issue, as well as the company's response.
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/4/2012 | 10:15:42 PM
re: Twitter Users Vulnerable To SMS Spoofing Attack
I clicked on the Rudenberg blog post linked to this story, and there's update that says Twitter has fixed the issue for users of short codes. Nevertheless, it's worrisome that it took the company 109 days from the time notified until they finally dealt with it. Companies don't like it when their vulnerabilities are exposed, but in this case, public disclosure seems to have worked. John Foley, InformationWeek
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.