Users who send and receive Twitter messages via text message from their mobile phone are vulnerable to a weakness that could allow anyone to post a tweet to their account, according to a developer and security researcher who discovered the flaw.
Jonathan Rudenberg said in a blog post that all the attacker needs to know is the target's mobile phone number. Then they can spoof the originating address of the text message, or SMS.
"Like email, the originating address of [an] SMS cannot be trusted," Rudenberg wrote. "Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."
Users only are affected if they use long codes to tweet by text message. They can be protected if they have enabled the use of PIN codes to validate their SMS tweets.
"The cleanest solution for providers is to use only an SMS short code to receive incoming messages," Rudenberg wrote. "In most cases, messages to short codes do not leave the [mobile phone] carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways."
He also suggested that services like Twitter implement challenge-response questions, which, for example, could require the sender to repeat back a "short alphanumeric string" to confirm that they are the one who sent the tweet.
The same vulnerability also existed in Facebook but that company was more responsive to fixing the issue, Rudenberg said.
He reported the bug to the social networking giant on Aug. 19, with the hole plugged last Wednesday.
He said he ran into more challenges with Twitter, which was alerted about the vulnerability on Aug. 17, but when Rudenberg checked back for an update on Oct. 15, he never heard back. He decided last Wednesday to go public with the disclosure, but only referencing Twitter.
Rudenberg today said Twitter had now fixed the issue by changing the service to reject messages to the spoofable "long codes" from shortcode users. Long code users should enable the PIN code feature in their account."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
