In association with heise online

20 March 2009, 13:49

Twitter PINs down SMS tweet spoofing

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Twitter PIN
Can you spot the PIN field? (It's between the colon and the save button)
Twitter has quietly updated their system to ensure that all users have the option of using a PIN number to stop Twitter SMS spoofing, but it's not as easy to use as it should be.

Twitter SMS spoofing allows a person to use an SMS spoofing service to post updates to a user's Twitter account if they have the mobile number of the phone the victim uses to post SMS updates to Twitter. US users of Twitter have had the option of using a PIN number for some time; this allows the user to set a 4 digit number which must prefix any updates they send over SMS.

The PIN feature wasn't available to The H when we were testing claims that Twitter had fixed the SMS spoofing problem. This week, Twitter's Biz Stone directed us to check our settings and we found that the PIN feature had been enabled for international users. There are some problems with the implementation though: the form field for entering the PIN appears, at least on Safari and Firefox, to be a white field on a white background with no border. Users will initially have to guess where the field is to set their PIN number. Once the user finds the field, enters a four digit number and clicks save, all future SMS updates require the PIN number followed by a space at the start of the message to be accepted. Without the PIN number, the SMS update is silently dropped.

The only other flaw with the current arrangement is that it requires the user to opt in to securing themselves from a Twitter vulnerability and The H hopes that Twitter make PIN numbers obligatory in the future.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit