We’ve all seen them. The unsolicited Tweet, direct message, or Facebook posting from a reputable colleague or personal contact that is undoubtedly the result of a compromised account, sometimes utilized for by cybercriminals for general spamming purposes and other times part of an insidious attack employing a malicious link designed to infect a victim’s contacts with malware.
One wonders how the attacker gained access: A login database breach? Weak or guessable passwords? Keylogger or other form of data sniffing infection? Any of which are unfortunate occurrences, but the recent revelation by security researcher Jonathan Rudenberg that an account can be taken over and unauthorized messages can be sent by an attacker simply because they know the associated mobile phone number is more than a little disconcerting.
Rudenberg has discovered a flaw in how Twitter and a few other social networking platforms handle commands from users’ mobile devices and can be utilized by attackers to send unauthorized messages and change account settings.
“Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target’s Twitter account. Messages can then be sent to Twitter with the source number spoofed,” Rudenberg reports.
“Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable. All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info,” Rudenberg warned.
The problem resides in the fact that the SMS commands can be sent to an account by an attacker using spoofing techniques which the platform does not compensate for, it simply sees that the commands are being sent from the number associated with the account, and allows the actions to execute.
Spoofing is a common form of digital impersonation that is employed in email phishing campaigns which display an innocuous sender address, or used to fool targets by presenting a similarly trusted phone number through caller ID.
“Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number,” Rudenberg explained.
The researcher found that both Facebook and Venmo were also vulnerable to the spoofing, though both companies quickly remedied the threat after Rudenberg privately disclosed the flaw. Twitter on the other hand has still not mitigated the vulnerability, even after Rudenberg agreed to withhold publication of his findings for several months. After receiving no word on progress from the social media giant, Rudenberg brought forth his findings on Full Disclosure.
Rudenberg recommends that “until Twitter removes the ability to post via non-short code numbers, users should enable PIN codes (if available in their region).” The PIN codes are entered by legitimate users prior to executing SMS commands for their accounts. The problem for users in the US is that the PIN code feature is not available.
To mitigate this problem and other forms of SMS spoofing, Rudenberg suggests that mobile service providers implement a “challenge-response” directly to the registered number for the account for every command issued via SMS. If the command was spoofed, the attacker will not receive the confirmation challenge, and the command will not be executed. Alternatively, he recommends that service providers employ short codes for SMS messaging.
“The cleanest solution for providers is to use only an SMS short code to receive incoming messages. In most cases, messages to short codes do not leave the carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways,” Rudenberg.
Regardless of how service providers decide to respond to spoofing, the best protection against this vulnerability is for Twitter users to simply disable the mobile text messaging feature.