Twitter Zero-Day Vulnerability Enables Account Hijack From SMS2:55 PM EST Tue. Dec. 04, 2012
A newly discovered vulnerability in Twitter's SMS capability opens the door to account hijack by anyone who knows the user's mobile number. Users who have activated an option that allows SMS access to their Twitter accounts are subject to the exploit, which can be carried out by spoofing the telephone number associated with the SMS account.
All functions available through SMS can be accessed through the exploit, including the ability to post tweets and modify profile info.
"Like email, the originating address of a SMS cannot be trusted," wrote security researcher Jonathan Rudenberg, in a blog post describing his discovery. "Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number."
Twitter also offers an option for a four digit PIN code used to authorize the user, but that feature, which would otherwise thwart the attack, is not available in the United States.
"The cleanest solution for providers is to use only an SMS short code to receive incoming messages," writes Rudenberg. In most cases, messages to short codes do not leave the carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways."
Rudenberg says that he advised Twitter about the vulnerability on Aug. 17 and was asked by the company to refrain from publicizing the information until a solution could be developed.
"The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team who did not believe that SMS spoofing was possible," he wrote. "I then reached out directly to someone on the security team who said that it was an 'old issue' but that they did not want me to publish until they got "a fix in place". I received no further communication from Twitter.
Rudenberg recommends that users disable the function until the vulnerability is closed, unless their accounts are based in the region where PIN-based authentication is available, in which case the four digit number closes the vulnerability.
He also indicated that Facebook and Venmo were also vulnerable to the exploit, but both companies resolved the matter last week, following his disclosure.
PUBLISHED DEC. 4, 2012