ID: IRCNE2012121691
Date: 2012-12-05
According to "cnet", Twitter users who post tweets to their feeds via SMS could be vulnerable to a security flaw, according to a security consultant.
Jonathan Rudenberg yesterday posted to his blog an SMS vulnerability he discovered in Twitter that allows anyone who has knowledge of someone's mobile number to post tweets to that person's feed.
In order for the vulnerability to be exploited, victims must have SMS tweeting authorized on their accounts. From there, the would-be poster needs only to spoof their actual mobile number through an SMS gateway -- something Rudenberg says can be done very easily -- and then post a message. Twitter also lets folks change profile settings through SMS, leaving that information open to hacking as well.
Twitter's issue is that it automatically accepts tweets from an originating address "implicitly," according to Rudenberg. In addition, in some countries, Twitter doesn't support short codes, which ensure a message is transmitted only over one carrier's network and not between two operator services.
According to Rudenberg, Facebook was also subject to the SMS flaw. He contacted both Twitter and Facebook in August, and received confirmation last week from Facebook that it had resolved the issue. Twitter initially asked him to not disclose the vulnerability until it could solve the problem, but so far, it hasn't been addressed.
Despite the vulnerability's existence, Rudenberg provided no evidence of anyone actually exploiting it.
- 2