There is a bug in the way that Twitter handles a feature that enables users to post messages via SMS and the researcher who discovered the bug says that it allows anyone who knows a user’s mobile number to not only tweet from the user’s account but also modify information in the user’s profile.
The vulnerability is a reault of the way that the Twitter service handles incoming commands from users’s mobile devices. Twitter users have the option of turning on an option that allows them to post messages, follow and unfollow users and take other actions simply by sending SMS commands from their mobile phones. In order to do this, a user must register his mobile number with Twitter in his profile, so the service knows what account the commands are associated with. The problem, however, is that anyone who knows a user’s mobile number can post messages, change profile settings and take other actions on the user’s behalf.
“Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target’s Twitter account. Messages can then be sent to Twitter with the source number spoofed,” Jonathan Rudenberg, the researcher who discovered the bug, said in an advisory on the Twitter SMS flaw.
“Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.”
Rudenberg said that he disclosed the vulnerability to Twitter in mid-August and the company assigned the problem to its mobile support team a few days later. A couple of weeks later Twitter officials asked Rudenberg not to publish the information until they had a chance to fix the vulnerability. Five weeks later he asked Twitter for an update on the progress and he says he never received a response, so he published the information on Tuesday on Full Disclosure.
Rudenberg, a developer and security researcher, said via email that he discovered the SMS bug, which also affects Facebook and Venmo, a mobile payment service, while researching SMS spoofing. Facebook and Venmo both have fixed the problem.
“In August I was doing research on SMS spoofing and tested against Twitter and Facebook, and found that they were vulnerable. I was about to publish what I found last week when a friend asked me whether I had tested Venmo, which I found was also vulnerable,” Rudenberg said.
“Testing these is really easy, it’s a single API call to any SMS gateway that allows specifying the ‘from address’ of the message.”
Rudenberg said that Twitter users in the U.S. are especially vulnerable to this issue because they don’t have the option of using a feature that pre-pends four-digit PIN codes to users’ SMS commands. That system helps identify the commands as coming from the owner of the Twitter account. Rudenberg said users outside the U.S. should enable the PIN code option.
“Twitter users in the US should disable SMS completely, users outside the US with the PIN code option available should enable it (or disable SMS),” he said.
Facebook fixed the SMS-spoofing bug last week, as did Venmo, Rudenberg said.