Twitter spoofing fix fails in UK and Germany
An earlier claim that Twitter had fixed the spoof SMS messages issue has been proven not to apply to the UK and Germany, where an attacker with nothing more than the phone number of a mobile phone associated with a Twitter account can send faked messages that appear as a tweet from the victim. In testing at heise Security in Germany and at The H Security in the UK, we were able to create faked Tweets, such as this for @heisec and this for @honline, using nothing more than a SMS sender faking service.
In the UK, we had a mobile phone associated with a Twitter account. By taking only the number of the mobile phone and setting it as the sender field on PhonyText then sending an SMS to +447624801423, the UK number for sending SMS tweets, we were able to see our message appear in the tweets on the honline page. We then promptly removed the association between the phone and the Twitter account. An attacker could have created a message directing followers to malware sites, to other risky locations on the web, or posted tweets designed to ruin the reputation of the account owner.