Establishing Digital Trust: Don't Sacrifice Security for Convenience
After security researcher Jonathan Rudenberg uncovered a flaw that allows attackers to post to anyone's Twitter profile via SMS, Twitter has announced a fix -- but it hasn't completely resolved the problem.
"In order for the vulnerability to be exploited, victims must have SMS tweeting authorized on their accounts," writes CNET News' Don Reisinger. "From there, the would-be poster needs only to spoof their actual mobile number through an SMS gateway -- something Rudenberg says can be done very easily -- and then post a message. Twitter also lets folks change profile settings through SMS, leaving that information open to hacking as well."
"Rudenberg said that Twitter users in the U.S. are especially vulnerable to this issue because they don't have the option of using a feature that pre-pends four-digit PIN codes to users' SMS commands," writes Threatpost's Dennis Fisher. "That system helps identify the commands as coming from the owner of the Twitter account. Rudenberg said users outside the U.S. should enable the PIN code option."
"Twitter made changes that prevent users with phone numbers from mobile operators for which the company has a short code, to send commands through the long codes," writes Computerworld's Lucian Constantin. "This blocks the spoofing attack for a lot of users. However, there are many mobile operators for which Twitter doesn't have a short code available. Users with phone numbers from those operators are allowed to send SMS commands through long codes."