Security researchers have hijacked a number of celebrity Twitter accounts – including that of Louis Theroux – to post unauthorized tweets. They have also demonstrated that Twitter’s claimed fix for the problem didn’t work …
Gizmodo reports that the researchers disclosed the method used, so that Twitter could fix it, but the vulnerability still exists despite the social media company claiming that it had closed the loophole.
A Twitter spokesperson told reporters on Friday that it had “resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” But during a conversation with Gizmodo, the hackers who posted the unauthorised tweets to celebrity accounts appeared to reproduce the experiment after Twitter made its claim.
The vulnerability relates to a Twitter feature introduced at a time when smartphones were still relatively rare. In order to allow people to tweet from dumb phones, Twitter offers a ‘tweet by SMS’ feature. Any text sent to Twitter from the phone number associated with the account would be posted as a tweet.
What the researchers managed to do was to spoof the phone numbers, so that texts sent by them would be tweeted on accounts owned by a number of celebrities and journalists.
The researchers from Insinia Security say that they notified the account holders, but didn’t seek consent from them. They say they used celebrity Twitter accounts to draw widespread attention to the vulnerability.
Twitter claimed on Friday that it had ‘resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing,’ but the researchers were able to demonstrate today that the same method still works.
The problem follows close on the heels of a support form flaw which exposed user details such as phone number country code. It was reported that this seemingly limited data was likely used by state-sponsored actors to gain information about Twitter accounts.