A Twitter security flaw gave hackers a way to post unauthorized tweets through text messaging. British cybersecurity company Insinia has proven this flaw’s existence by hijacking a few accounts of celebrities. The firm was able to post tweets as another person without having their passwords by spoofing their mobile numbers.
If you have data and a smartphone, it’s easy to forget the feature, but Twitter still allows you to post tweets via text message. You simply need to link your digits to your twitter account and then text what you want to post.
Twitter’s spokesperson gave a statement to The Guardian that
The flaw allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” It’s not entirely clear what makes certain accounts susceptible to the bug, but Insinia was able to send out unauthorized tweets using “long codes”
The Twitter uses two kinds of numbers to tweet via SMS, Longcodes, and Shortcodes. Londcode looks like a typical phone number, but the shortcode is of three to five digits only. It varies country to country and sometimes varies to the carrier. For example, USA uses shortcode (40404) and the UK uses both long and shortcodes (+447624800379).
The spokesperson also said that the bug has already been resolved. But the Insinia said that they were able to hijack the accounts even after Twitter claimed that they resolved it. Hackers won’t be able to access the inbox or any of the personal details by exploiting this flaw. Insinia chief Mike Godfrey said that his company conducted experiments to show how text messaging should not use to verify people’s identity.
He explained that
We should not be using 50-year old technology, It is massively flawed by the design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes.
Get real time update about this post categories directly on your device, subscribe now.