Security researchers have discovered a new way to hijack a Twitter user’s stream, and they’ve done it using a seemingly old-school method. They did it by sending SMS messages.
A team from Insinia Security managed to post tweets (with permission from the account holders, of course) without having to directly access users’ accounts. It was done without logging in and without having to intercept a two-factor authentication code.
The trick doesn’t work against every Twitter account. Only certain SMS-enabled accounts are vulnerable, and it’s not yet known exactly how many users are impacted.
To inject a tweet, Insinia’s researchers first had to track down phone numbers that were linked to Twitter accounts. Because of numerous massive data leaks and hacks, that information is much easier to come by than you might think.
Once they found a phone number the next step was to borrow a trick from spam callers and swatters. The researchers entered the phone number into a spoofing tool, which makes calls and texts appear like they’re coming from a specified phone number when they’re really not. Insinia’s experts gave Gizmodo a demonstration of the attack and it reportedly worked against multiple Twitter accounts.
According to Gizmodo, that shouldn’t have been possble. Twitter issued a statement last week declaring that it had “resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing,” adding that “account security protocols are functioning as expected.”
It’s reassuring to know that no actual accounts are at risk. If hackers can simply do an end run around those measures, however, there are still some glaring holes that need to be patched. \
Twitter was contacted for comment and this post will be updated with its reply.
Date: January 2, 2019