Vulnerabilities / Threats
12/4/2012
09:23 AM
Connect Directly
RSS
E-Mail
50%
50%

Twitter Users Vulnerable To SMS Spoofing Attack

Twitter vulnerability would allow attackers to post messages to targeted accounts. Similar flaw has already been addressed by Facebook and SMS payment provider Venmo.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Twitter users are vulnerable to an attack that would allow anyone to post messages to their Twitter feed or alter their account settings, provided the attacker knew the mobile phone number associated with the targeted user's account.

"Messages can then be sent to Twitter with the source number spoofed," according to a blog post from security researcher Jonathan Rudenberg, who discovered the vulnerability. "Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.

"Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable," he said. Attackers would have full access to all Twitter SMS commands, including the ability to post tweets, reply to tweets, retweet messages, send direct messages to other Twitter users, and change the name and URL associated with a public profile.

Twitter has yet to fix the spoofing vulnerability, although Rudenberg said he notified Twitter of the flaw on August 17. "The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team who did not believe that SMS spoofing was possible," said Rudenberg. "I then reached out directly to someone on the security team who said that it was an 'old issue' but that they did not want me to publish until they got 'a fix in place.' I received no further communication from Twitter." After requesting an update in the middle of October, and hearing nothing further from Twitter, Rudenberg said he notified the company Wednesday that he would be publishing details of the vulnerability.

[ Can the government help improve security? Read DARPA Looks For Backdoors, Malware In Tech Products. ]

A spokesman for Twitter didn't immediately respond to an emailed request for comment about whether Twitter was working to fix the reported vulnerability, or when it might issue a fix or related security warning. But any Twitter user outside of the United States who has a mobile phone number associated with their account can mitigate the vulnerability by setting a PIN code on their Twitter device settings page. "Until Twitter removes the ability to post via non-short code numbers, users should enable PIN codes (if available in their region) or disable the mobile text messaging feature," said Rudenberg.

After setting a PIN code, the code must be used to begin any SMS message sent to Twitter, or else the message will be discarded. "This feature mitigates the issue, but is not available to users inside the United States," said Rudenberg.

According to Rudenberg, he discovered similar SMS spoofing vulnerabilities in both Facebook and the Venmo payment network, which was recently acquired by Braintree. Both of those sites, however, have addressed the issue.

Facebook took about three months to fix the spoofing flaw vulnerability, although the process wasn't flawless. Rudenberg said he received no response to the first bug report that he filed, on August 19, so he reached out to a friend on the engineering team. By November 28, he was told that the issue had been resolved. "I will receive a bounty from Facebook for finding and reporting this issue to them," said Rudenberg. "The Facebook bounty program requires responsible disclosure and time to resolve internally in 'good faith' before publishing."

The award for fastest SMS spoofing vulnerability mitigation, however, goes to Braintree, which responded within 40 minutes of receiving Rudenberg's vulnerability notification. The following day, it informed him that the spoofing attack vulnerability had been mitigated by the site disabling users' ability to make payments via SMS.

What type of fix might Twitter put in place to block SMS spoofing attacks? The most elegant solution would be to have telecommunications carriers provide a SMS short code for sending SMS messages to Twitter. "In most cases, messages to short codes do not leave the carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways," Rudenberg said.

Twitter could also request verification for every SMS messages it receives. "An alternative, less user-friendly but more secure solution is to require a challenge-response for every message," Rudenberg said. "After receiving an SMS, the service would reply with a short alphanumeric string that needs to be repeated back before the message is processed."

Twitter account takeovers are far from unknown, although they can require some effort. Earlier this year, for example, to seize control of journalist Mat Honan's Twitter feed, a hacker named "Phobia" employed social engineering attacks on Amazon and Apple customer service staff, which allowed him to get access to Honan's Gmail account, which he'd linked to his Twitter feed. At that point, Phobia was able to take over Honan's Twitter account and post messages. While an attack using the SMS vulnerability wouldn't allow an attacker to seize full control of the account, it would be a much more direct way to post arbitrary messages to someone else's Twitter feed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:39:25 AM
re: Twitter Users Vulnerable To SMS Spoofing Attack
Twitter is not going to post this to the public especially with all the negative feedback in regards to security breeches in one form or another rot other major sites. Kind of funny how when pointing out a flaw in the system got routed to a normal support team member. From the various response form people at Twitter it does not really sound like anyone knows what is going on over there. I can not imagine that a hacked account could go that long with out the user noticing fairly quickly.

Paul Sprague
InformationWeek Contributor
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/5/2012 | 5:00:24 PM
re: Twitter Users Vulnerable To SMS Spoofing Attack
Twitter has now released a security bulletin outlining the issue, as well as the company's response.
John Foley
50%
50%
John Foley,
User Rank: Apprentice
12/4/2012 | 10:15:42 PM
re: Twitter Users Vulnerable To SMS Spoofing Attack
I clicked on the Rudenberg blog post linked to this story, and there's update that says Twitter has fixed the issue for users of short codes. Nevertheless, it's worrisome that it took the company 109 days from the time notified until they finally dealt with it. Companies don't like it when their vulnerabilities are exposed, but in this case, public disclosure seems to have worked. John Foley, InformationWeek
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio