06 March 2009, 11:11

Twitter closes SMS spoofing hole - Updated

Twitter, the micro-blogging site, has closed an SMS spoofing security hole which, until Wednesday night, left accounts open to being hijacked. The vulnerability was due to an authentication weakness that allowed anyone who knew a user's mobile number to spoof their messages, provided that the user's mobile number was set up to post and receive Twitter messages.

The hijack was possible because Twitter determined where to post the messages from the "sender ID" field, the area in all text messages that contains the sender's mobile telephone number. According to Security Fix, an attacker could use an SMS (short message service) spoofing service, such as my-cool-sms.com or phonytext.com, to mask the phone number for the original text call by replacing the "from" or "sender ID" field with the mobile number of a Twitter user and then sending a message. The message would be immediately posted to that user's Twitter page.

By using Twitter's "text commands," an attacker could have enabled or disabled another user's phone notifications and users could have been forced to follow other Twitter users. The vulnerability also let an attacker change a users settings so that they would stop receiving notifications from specific users on their list, or make other Twitter users start following their Tweets.

The spoofing hole mostly affected users outside of the US, as most of the US based mobile carriers have measures in place to prevent SMS spoofing. Popular users who have a large number of followers, such as Stephen Fry, could have had their accounts taken over using this hole, allowing an attacker to post a Tweet with a link to a malicious website to hundreds of thousands of users at the same time.

Update: The fix seems to have failed in the UK and Germany. See our updated story - "Twitter spoofing fix fails in UK and Germany"

See also: