UPDATE–A day after an independant security researcher disclosed a vulnerability in SMS-enabled Twitter accounts, the social network giant announced it’s fixed the flaw – at least for some users. Those who use a “long code” and/or cannot use a PIN code remain at risk.
The update came Tuesday evening following a wave of news reports, including one on Threatpost, warning Twitter users they were vulnerable to account hijacks by anyone familiar with the mobile phone number associated with their SMS account. Once the attacker has control by spoofing the number, he or she can use SMS commands to post tweets and change profile information.
The vulnerability was discovered on Twitter and Facebook in August by developer and security researcher Jonathan Rudenberg. He contacted both companies and agreed to remain silent while they worked on a fix. Then last week he realized the same vulnerability existed for mobile payment provider Venmo and contacted them as well. All three responded to the researcher initially, and both Facebook and Venmo kept him apprised as they developed a fix or workaround. But when Twitter failed to respond to Rudenberg’s request for an update, he decided to go public.
So Rudenberg released details on his Web site, including suggestions for mitigation. Twitter responded a day later with news it had a fix for those using short codes but not for those using a long code. It recommended long-code users enable the PIN code on their account, which is of little comfort to those inside the United States since that feature isn’t available.
In a blog post, Moxie Marlinspike of Twitter’s security team said that U.S. users aren’t vulnerable to the SMS-spoofing bug and that the company had made a change in August to protect against this attack.
Marlinspike said in his post that while it is technically possible for an attacker to execute the SMS-spoofing attack against some users who employ the longcode posting method, using a PIN code defends against the attack.
“Given that it is possible to send an SMS message with a fake source address to these numbers, we have offered PIN protection to users who sign up with a longcode since 2007. As of August of this year, we have additionally disallowed posting through longcodes for users that have an available shortcode,” Marlinspike said.
“Most Twitter users interact over the SMS channel using a ‘shortcode.’ In the US, for instance, this shortcode is 40404. Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers,” Marlinspike said
Rudenberg expressed frustration with how Twitter handled his discovery.
“The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team who did not believe that SMS spoofing was possible,” he wrote. “I then reached out directly to someone on the security team who said that it was an ‘old issue’ but that they did not want me to publish until they got ‘a fix in place.’ I received no further communication from Twitter.”
Facebook notified Rudenberg the issue was resolved Nov. 28 and gave him a bounty for responsibly disclosing the vulnerability and allowing time for it to be fixed. Braintree, which recently acquired Venmo, responded immediately and had SMS payments disabled a day later.
For service providers, Rudenberg recommends using only an SMS short code to receive incoming messages to reduce the risk of spoofing via SMS gateways. Another, less popular option is to require challenge-response for every message that requires a short alphanumeric string be repeated back before the message is processed.
This article was updated on Dec. 5 to add comments from Marlinspike.