Twitter closes SMS spoofing holeMarch 6, 2009 – 8:30 AM
Twitter, the micro-blogging site, has closed an SMS spoofing security hole which, until Wednesday night, left accounts open to being hijacked. The vulnerability was due to an authentication weakness that allowed anyone who knew a user’s mobile number to spoof their messages, provided that the user’s mobile number was set up to post and receive Twitter messages.
The hijack was possible because Twitter determined where to post the messages from the “sender ID” field, the area in all text messages that contains the sender’s mobile telephone number. According to Security Fix, an attacker could use an SMS (short message service) spoofing service, such as my-cool-sms.com or phonytext.com, to mask the phone number for the original text call by replacing the “from” or “sender ID” field with the mobile number of a Twitter user and then sending a message. The message would be immediately posted to that user’s Twitter page.
By using Twitter’s “text commands,” an attacker could have enabled or disabled another user’s phone notifications and users could have been forced to follow other Twitter users. The vulnerability also let an attacker change a users settings so that they would stop receiving notifications from specific users on their list, or make other Twitter users start following their Tweets.