Twitter has a massive security flaw that enabled vigilante hackers to access accounts based in the UK. Hackers from Insinia, a British security firm, exposed the flaw by gaining access to some verified celebrity accounts and posting messages.
Insinia was able to pose as celebrities and journalists, without having any knowledge about their passwords. They did this by “spoofing” the cell phone numbers of the users and posting the tweets via text. Most users do not know about this feature.
Twitter allows users who have a smartphone and a data plan to tweet via SMS. Users have to link their mobile phone number to their Twitter account and send the tweet as a text to a specific number.
Insinia confirmed that it sent the tweets and said they did it to expose the vulnerability.
It is unclear how the hackers managed to tweet via the mobile numbers exactly.
Twitter uses both shortcodes and long codes to send tweets via SMS. Shortcodes are just three to five digits, whereas long codes look like proper phone numbers.
Long codes and shortcodes can vary from country to country, and sometimes different carriers can have different shortcodes as well. As an example, USA uses a shortcode (40404), whereas the UK uses both shortcodes and a long code (+447624800379).
A spokesperson for Twitter claimed that the issue had been resolved. Insinia said that it had still managed to send out fake tweets, despite Twitter’s reassurances. The hackers were not able to access users’ Direct Messages or personal details, but they should not have been able to get access in the first place.
Insinia’s chief Mike Godfrey said as much. Godfrey claimed his company carried out the testing to prove how text messaging can be exploited to verify people’s identities. Godfrey added:
“We should not be using 50-year old technology. It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes.”
The Insinia’s chief believes the security loophole might have been in existence for a few years at least. He also claimed that his company’s testing might have encouraged Twitter to take better countermeasures.
Gizmodo claimed that Twitter has admitted the SMS vulnerability existed since 2012. So essentially, Twitter had six years to clean up their mess, which they failed to do. It seems the bug is the same one or quite similar to the one that existed in 2012.
It seems only UK residents have been affected, at least for now. US citizens seem to be safe at the moment. A Twitter spokesperson said Twitter doesn’t “believe there is any significant risk to US-based account holders.”
Twitter has been under scrutiny for some time now. The social media network has suffered from numerous Bitcoin scams, and the company was called out for its role in the Russian hacks of the 2016 US presidential election.
It will be interesting to see how the company bounces back from these scandals.