"Messages can then be sent to Twitter with the source number spoofed," according to a blog post from security researcher Jonathan Rudenberg, who discovered the vulnerability. "Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.
"Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable," he said. Attackers would have full access to all Twitter SMS commands, including the ability to post tweets, reply to tweets, retweet messages, send direct messages to other Twitter users, and change the name and URL associated with a public profile.
Twitter has yet to fix the spoofing vulnerability, although Rudenberg said he notified Twitter of the flaw on August 17. "The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team who did not believe that SMS spoofing was possible," said Rudenberg. "I then reached out directly to someone on the security team who said that it was an 'old issue' but that they did not want me to publish until they got 'a fix in place.' I received no further communication from Twitter." After requesting an update in the middle of October, and hearing nothing further from Twitter, Rudenberg said he notified the company Wednesday that he would be publishing details of the vulnerability.
[ Can the government help improve security? Read DARPA Looks For Backdoors, Malware In Tech Products. ]
A spokesman for Twitter didn't immediately respond to an emailed request for comment about whether Twitter was working to fix the reported vulnerability, or when it might issue a fix or related security warning. But any Twitter user outside of the United States who has a mobile phone number associated with their account can mitigate the vulnerability by setting a PIN code on their Twitter device settings page. "Until Twitter removes the ability to post via non-short code numbers, users should enable PIN codes (if available in their region) or disable the mobile text messaging feature," said Rudenberg.
After setting a PIN code, the code must be used to begin any SMS message sent to Twitter, or else the message will be discarded. "This feature mitigates the issue, but is not available to users inside the United States," said Rudenberg.
According to Rudenberg, he discovered similar SMS spoofing vulnerabilities in both Facebook and the Venmo payment network, which was recently acquired by Braintree. Both of those sites, however, have addressed the issue.
Facebook took about three months to fix the spoofing flaw vulnerability, although the process wasn't flawless. Rudenberg said he received no response to the first bug report that he filed, on August 19, so he reached out to a friend on the engineering team. By November 28, he was told that the issue had been resolved. "I will receive a bounty from Facebook for finding and reporting this issue to them," said Rudenberg. "The Facebook bounty program requires responsible disclosure and time to resolve internally in 'good faith' before publishing."
The award for fastest SMS spoofing vulnerability mitigation, however, goes to Braintree, which responded within 40 minutes of receiving Rudenberg's vulnerability notification. The following day, it informed him that the spoofing attack vulnerability had been mitigated by the site disabling users' ability to make payments via SMS.
What type of fix might Twitter put in place to block SMS spoofing attacks? The most elegant solution would be to have telecommunications carriers provide a SMS short code for sending SMS messages to Twitter. "In most cases, messages to short codes do not leave the carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways," Rudenberg said.
Twitter could also request verification for every SMS messages it receives. "An alternative, less user-friendly but more secure solution is to require a challenge-response for every message," Rudenberg said. "After receiving an SMS, the service would reply with a short alphanumeric string that needs to be repeated back before the message is processed."
Twitter account takeovers are far from unknown, although they can require some effort. Earlier this year, for example, to seize control of journalist Mat Honan's Twitter feed, a hacker named "Phobia" employed social engineering attacks on Amazon and Apple customer service staff, which allowed him to get access to Honan's Gmail account, which he'd linked to his Twitter feed. At that point, Phobia was able to take over Honan's Twitter account and post messages. While an attack using the SMS vulnerability wouldn't allow an attacker to seize full control of the account, it would be a much more direct way to post arbitrary messages to someone else's Twitter feed.