The cofounder of a Twitter 2FA text service is reported to have been secretly selling access to its networks to governments, enabling them to locate people of interest – and in some cases obtain their phone logs …
The company, Mitto AG, was used by Twitter to send text messages on its behalf, including security codes used for two-factor authentication (2FA). Twitter says that it is “transitioning” away from the company’s services, but appears not to have completely ceased using them as yet.
Bloomberg reports.
Twitter Inc. told a U.S. senator it is cutting ties with a European technology company that helped it send sensitive passcodes to its users via text message.
The social media firm said in a disclosure to U.S. Senator Ron Wyden, a Democrat from Oregon, that it is “transitioning” its service away from working with Mitto AG, according to a Wyden aide.
A co-founder of Mitto operated a service that helped governments secretly surveil and track mobile phones, according to former employees and clients.
One of the approaches said to have been used was exploiting known vulnerabilities in the mobile telecoms protocol Signaling System 7 (SS7). It has been known since at least 2016 that major security flaws in SS7 mean that it can be used to listen to your calls, read your texts, and track your position.
The privacy breach appears to have been carried out by Mitto cofounder and chief operating office Ilja Gorelik without the knowledge of others in the company. A Mitto spokesperson said that the company itself had no involvement, and was investigating. Unconfirmed reports say that Gorelik is no longer involved with the company.
It’s yet another reason to avoid using text messaging for 2FA. Always use Apple’s own 2FA support, or a third-party app like Google Authenticator, whenever you have the option. If a company only offers text messaging, then Apple’s autofill feature at least reduces the risks.
Photo: Mahdi Bafande/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments