Twitter, Facebook affected by SMS spoofing flaw
Users who send and receive Twitter messages via text message from their mobile phone are vulnerable to a weakness that could allow anyone to post a tweet to their account, according to a developer and security researcher who discovered the flaw.
Jonathan Rudenberg said in a blog post on Monday that all the attacker needs to know is the target's cell phone number. Then they can spoof the originating address of the text message, or SMS,
"Like email, the originating address of [an] SMS cannot be trusted," Rudenberg wrote. "Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."
Users only are affected if they use long codes to tweet by text message. They can be protected if they have enabled the use of PIN codes to validate their SMS tweets, though such functionality is not available to people inside the United States.
"The cleanest solution for providers is to use only an SMS short code to receive incoming messages," Rudenberg wrote. "In most cases, messages to short codes do not leave the [mobile phone] carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways."
He also suggested that services like Twitter implement challenge-response questions, which, for example, could require the sender to repeat back a "short alphanumeric string" to confirm that they are the one who sent the tweet.
The same vulnerability also existed in Facebook and Venmo, a mobile payments service for use among friends, but those two companies were more responsive to fixing the issue, Rudenberg said.
He reported the bug to Venmo last Thursday, and it was corrected by Saturday. Facebook took longer, with the weakness being reported to the social networking giant on Aug. 19 and Rudenberg notified last Wednesday that the hole was plugged.
He said he ran into more challenges with Twitter, which was alerted about the vulnerability on Aug. 17, but when Rudenberg checked back for an update on Oct. 15, he never heard back. He decided last Wednesday to go public with the disclosure, but only referencing Twitter.
A Twitter spokesperson did not respond to a request for comment made by SCMagazine.com.
UPDATE: Rudenberg told Ars Technica that the vulnerability has been resolved by Twitter.
UPDATE 2: Rudenberg told SCMagazine.com in an email that "Twitter fixed the issue by changing their service to reject messages to the spoofable "long codes" from shortcode users. Long code users should enable the PIN code feature in their account."