Twitter bug exploited for hacking high-profile accounts, posting tweets
In a surprising development, a group of UK-based security searchers was able to hijack high-profile celebrity accounts. They interacted with multiple accounts, including those of British documentary filmmaker Louis Theroux and news anchor Eamonn Holmes. However, the attack was not ill-intended but was designed specifically to highlight a major flaw in Twitter's account security system. Here's more on the matter.
How these researchers posted tweets?
On Friday, The Guardian had reported that British firm Insinia hijacked the accounts to flag a vulnerability, which could be exploited via SMS. They spoofed mobile numbers of multiple account holders to send out unauthorized Tweets on their behalf - without entering passwords. The goal was to highlight how simple trick could be used to spread misinformation or ruin reputation of people.
Remember Twitter's SMS access feature?
The vulnerability is tied to SMS access feature that Twitter has long been providing. Basically, users who have got SMS-enabled can post anything to their account by texting the content with a simple command to a specific number (longcode/shortcode). In this case, researches used longcodes.
Twitter claims bug is resolved, but researchers deny
After the vulnerability was flagged, Twitter issued a statement saying that the bug has been resolved. However, the researchers involved in the matter denied that claim in a statement to Gizmodo. In fact, they hijacked a few more accounts to demonstrate how the vulnerability still remains unpatched on many accounts. Notably, it also remains unknown how many accounts are actually affected by this issue.
Also, DMs and other account details remain untouched
Though the bug relates to a major security concern, it is important to note that it only allows users to send out tweets via SMS. Meaning, a potential attacker won't be able to use it for accessing your profile information or direct messages. Still, a loophole to send out unauthorized tweets is relatively dangerous and should be patched as soon as possible.
Is SMS authentication a good option?
"We should not be using 50-year old technology," Mike Godfrey, who runs Insinia, told The Guardian. "It is massively flawed by design. Even someone completely unskilled could carry this attack within half an hour. This took us 10 minutes".