Twitter officials say that a researcher’s claims that the service is open to an SMS-spoofing vulnerability are not completely accurate, and that Twitter users in the United States are not vulnerable to the attack. Moxie Marlinspike of Twitter’s security team said that the company in August had stopped allowing users to post messages using SMS longcodes in countries, such as the U.S., where posting via a shortcode is available.
For users who have SMS posting set up, the way that they do it depends upon which country they’re in and how the system works. For some users, posting a message through SMS involves sending the tweet, along with a shortcode. In other countries, users need to send a longer code, which looks like a normal phone number, along with the message to be posted. Marlinspike said that the use of shortcodes helps prevent the SMS-spoofing attack.
“Most Twitter users interact over the SMS channel using a ‘shortcode.’ In the US, for instance, this shortcode is 40404. Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers,” Marlinspike said in a blog post addressing the issue.
“It has been misreported that US-based Twitter users are currently vulnerable to a spoofing attack because PIN protection is unavailable for them. By having a shortcode, PIN protection isn’t necessary for US-based Twitter users, because they are not vulnerable to SMS spoofing. We only provide the option for PIN protection in cases where a user could have registered with a longcode that is susceptible to SMS spoofing.”
On Tuesday security researcher Jonathan Rudenberg said that he had reported the SMS-spoofing issue to Twitter in August and had waited for severla months for resolution but the company had stopped communicating with him about the problem. He disclosed the issue on Tuesday and also said that he had notified Facebook and mobile payment company Venmo of similar issues, both of which fixed the problem.
Marlinspike said in his post that while it is technically possible for an attacker to execute the SMS-spoofing attack against some users who employ the longcode posting method, using a PIN code defends against the attack.
“Given that it is possible to send an SMS message with a fake source address to these numbers, we have offered PIN protection to users who sign up with a longcode since 2007. As of August of this year, we have additionally disallowed posting through longcodes for users that have an available shortcode,” Marlinspike said.