Twitter has released a less-than-optimal fix for a well-known text-messaging bug that enables an attacker with the mobile phone number associated with an account to impersonate the user.
The flaw, disclosed on Monday by security consultant Jonathan Rudenberg, enables someone to use text messaging to send tweets under the name of the mobile phone user. In addition, an attacker can change profile information, follow and unfollow other Twitter users and send direct messages.
Twitter partially fixed the bug by preventing account holders from using their phone numbers to send tweets when a so-called short code is available. Short codes are shortened telephone numbers used in a variety of services, such as TV program voting and making charity donations. Unlike regular telephone numbers, short codes are not susceptible to impersonation attacks.
The fix leaves out a significant number of Twitter users, because the social network does not have short codes available for many mobile operators. For example, Twitter has no short codes available with U.S. carriers.
Those users will have to continue to use their phone numbers, leaving them open to attack. The workaround is to use their account settings to require a PIN each time a text message is sent.
The problem stems from a flaw in the short messaging service (SMS) gateways used by carriers. Like email, SMS allows the originating address of a message to be set to an arbitrary identifier, including someone else's phone number, Rudenberg said.
Facebook and Venmo, a mobile payment service, were also open to the same type of spoofing attacks. They recently fixed the bug, Rudenberg said..
The SMS flaw is well known among security researchers, said Roel Schouwenberg, a senior researcher at Kaspersky Lab. "[Nevertheless,] it's something that should be addressed, even if it's not a highly critical issue," he said.
Another way to fix the problem is for Twitter to have text messaging through its app, rather than relying on SMS. "It's generally best to steer clear from using text messages for these types of functionality," Schouwenberg said.
Rudenberg claimed he notified Twitter about the bug via a Web form on Aug. 17. On Sept. 6, Twitter asked him not to disclose the vulnerability until after it was fixed. After an Oct. 15 request for an update went unanswered, Rudenberg notified Twitter he would be going public.
A hijacked Twitter account can be humiliating. Early this year, actor Ashton Kutcher's Twitter account was hacked and embarrassing tweets posted in his name. Kutcher has 9 million followers.
Like all social media, Twitter battles attacks constantly. In September, cybercriminals were using compromised accounts to distribute messages disguised as coming from friends. The messages contained a link to a website that tried to install malware on to a PC.
Among the major reasons accounts are hijacked on social networks is weak password security, Sophos said. Users are too often allowed to use weak passwords in opening accounts.