Twitter, Facebook affected by SMS spoofing flaw

Share this article:

Users who send and receive Twitter messages via text message from their mobile phone are vulnerable to a weakness that could allow anyone to post a tweet to their account, according to a developer and security researcher who discovered the flaw.

Jonathan Rudenberg said in a blog post on Monday that all the attacker needs to know is the target's cell phone number. Then they can spoof the originating address of the text message, or SMS,

"Like email, the originating address of [an] SMS cannot be trusted," Rudenberg wrote. "Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."

Users only are affected if they use long codes to tweet by text message. They can be protected if they have enabled the use of PIN codes to validate their SMS tweets, though such functionality is not available to people inside the United States.

"The cleanest solution for providers is to use only an SMS short code to receive incoming messages," Rudenberg wrote. "In most cases, messages to short codes do not leave the [mobile phone] carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways."

He also suggested that services like Twitter implement challenge-response questions, which, for example, could require the sender to repeat back a "short alphanumeric string" to confirm that they are the one who sent the tweet.

The same vulnerability also existed in Facebook and Venmo, a mobile payments service for use among friends, but those two companies were more responsive to fixing the issue, Rudenberg said.

He reported the bug to Venmo last Thursday, and it was corrected by Saturday. Facebook took longer, with the weakness being reported to the social networking giant on Aug. 19 and Rudenberg notified last Wednesday that the hole was plugged.

He said he ran into more challenges with Twitter, which was alerted about the vulnerability on Aug. 17, but when Rudenberg checked back for an update on Oct. 15, he never heard back. He decided last Wednesday to go public with the disclosure, but only referencing Twitter.

A Twitter spokesperson did not respond to a request for comment made by SCMagazine.com.

UPDATE: Rudenberg told Ars Technica that the vulnerability has been resolved by Twitter.

UPDATE 2: Rudenberg told SCMagazine.com in an email that "Twitter fixed the issue by changing their service to reject messages to the spoofable "long codes" from shortcode users. Long code users should enable the PIN code feature in their account."

Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...