A Twitter security flaw gives hackers a way to post unauthorized tweets via text messaging and British cybersecurity firm Insinia has proven its existence by hijacking some celebrities’ accounts. The company was able to post tweets as other people without having to enter their passwords by spoofing their mobile numbers.
It’s easy to forget the feature if you have data and a smartphone, but Twitter still allows you to tweet via SMS. You simply have to link your digits to your account and then text what you want to post to a number Twitter designated for your country and carrier.
A Twitter spokesperson explained to The Guardian that the bug “allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” It’s not entirely clear what makes certain accounts susceptible to the bug, but Insinia was able to send out unauthorized tweets using “longcodes.”
Twitter uses two kinds of numbers for tweeting via SMS: longcodes and shortcodes. The former looks like a typical phone number, while the latter is just three to five digits. It’s different for every country and, sometimes, every carrier — the USA uses a shortcode (40404), for instance, while the UK uses both shortcodes and a longcode (+447624800379).
That spokesperson also announced that the social network already “resolved the bug,” but Insinia said it was able to hijack accounts even after Twitter claimed that it rolled out a fix. While hackers won’t be able to access DMs or personal details by exploiting this particular flaw, Insinia chief Mike Godfrey said his company conducted the experiment to show how text messaging should not be used to verify people’s identities.
“We should not be using 50-year old technology,” he explained. “It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes.”