Skip to main content

Twitter 2FA text service was secretly helping governments locate people, obtain call logs

The cofounder of a Twitter 2FA text service is reported to have been secretly selling access to its networks to governments, enabling them to locate people of interest – and in some cases obtain their phone logs …

The company, Mitto AG, was used by Twitter to send text messages on its behalf, including security codes used for two-factor authentication (2FA). Twitter says that it is “transitioning” away from the company’s services, but appears not to have completely ceased using them as yet.

Bloomberg reports.

Twitter Inc. told a U.S. senator it is cutting ties with a European technology company that helped it send sensitive passcodes to its users via text message.

The social media firm said in a disclosure to U.S. Senator Ron Wyden, a Democrat from Oregon, that it is “transitioning” its service away from working with Mitto AG, according to a Wyden aide.

A co-founder of Mitto operated a service that helped governments secretly surveil and track mobile phones, according to former employees and clients.

One of the approaches said to have been used was exploiting known vulnerabilities in the mobile telecoms protocol Signaling System 7 (SS7). It has been known since at least 2016 that major security flaws in SS7 mean that it can be used to listen to your calls, read your texts, and track your position.

The privacy breach appears to have been carried out by Mitto cofounder and chief operating office Ilja Gorelik without the knowledge of others in the company. A Mitto spokesperson said that the company itself had no involvement, and was investigating. Unconfirmed reports say that Gorelik is no longer involved with the company.

It’s yet another reason to avoid using text messaging for 2FA. Always use Apple’s own 2FA support, or a third-party app like Google Authenticator, whenever you have the option. If a company only offers text messaging, then Apple’s autofill feature at least reduces the risks.

Photo: Mahdi Bafande/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications