How high-profile accounts got hijacked through SMS-spoofing


30 Dec 2018

Twitter bug exploited for hacking high-profile accounts, posting tweets

In a surprising development, a group of UK-based security searchers was able to hijack high-profile celebrity accounts.

They interacted with multiple accounts, including those of British documentary filmmaker Louis Theroux and news anchor Eamonn Holmes.

However, the attack was not ill-intended but was designed specifically to highlight a major flaw in Twitter's account security system.

Here's more on the matter.


How these researchers posted tweets?

How these researchers posted tweets?

On Friday, The Guardian had reported that British firm Insinia hijacked the accounts to flag a vulnerability, which could be exploited via SMS.

They spoofed mobile numbers of multiple account holders to send out unauthorized Tweets on their behalf - without entering passwords.

The goal was to highlight how simple trick could be used to spread misinformation or ruin reputation of people.

Remember Twitter's SMS access feature?

The vulnerability is tied to SMS access feature that Twitter has long been providing. Basically, users who have got SMS-enabled can post anything to their account by texting the content with a simple command to a specific number (longcode/shortcode). In this case, researches used longcodes.

Love Tech news?

Stay updated with the latest happenings.

Yes, notify Me

Twitter's response

Twitter claims bug is resolved, but researchers deny

After the vulnerability was flagged, Twitter issued a statement saying that the bug has been resolved.

However, the researchers involved in the matter denied that claim in a statement to Gizmodo.

In fact, they hijacked a few more accounts to demonstrate how the vulnerability still remains unpatched on many accounts.

Notably, it also remains unknown how many accounts are actually affected by this issue.

DM acces

Also, DMs and other account details remain untouched

Also, DMs and other account details remain untouched

Though the bug relates to a major security concern, it is important to note that it only allows users to send out tweets via SMS.

Meaning, a potential attacker won't be able to use it for accessing your profile information or direct messages.

Still, a loophole to send out unauthorized tweets is relatively dangerous and should be patched as soon as possible.

Is SMS authentication a good option?

"We should not be using 50-year old technology," Mike Godfrey, who runs Insinia, told The Guardian. "It is massively flawed by design. Even someone completely unskilled could carry this attack within half an hour. This took us 10 minutes".

Share this timeline


Social Media



Eamonn Holmes


Louis Theroux

Mike Godfrey

Remember Twitter

The Guardian

Share this timeline

Ask NewsBytes
User Image

Most asked questions

Can this trick be used to hijack my Twitter account?

Is this problem affecting Indian users?

How to avoid this problem?

Can hijacker read my messages?

More questions

Can this trick be used to hijack my Twitter account?

Asked 2018-12-30 13:05:25 by Pari Powar

Answered by NewsBytes

Details about the bug are not clear and it may or may not affect your account.

Is this problem affecting Indian users?

Asked 2018-12-30 13:05:25 by Pari Pawar

Answered by NewsBytes

The actual scale of the issue remains unknown, but as of now, it only seems to affect certain UK-based accounts tied to longcodes ( a dedicated long number) for sending messages.

How to avoid this problem?

Asked 2018-12-30 13:05:25 by Ridhi Rangarajan

Answered by NewsBytes

Twitter has an SMS-pin system, which could be used to add an additional layer of security. It works only outside the US and for numbers tweeting via longcodes.

Can hijacker read my messages?

Asked 2018-12-30 13:05:25 by Diya Chattopadhyay

Answered by NewsBytes

No. The bug can only be exploited for sending out tweets via SMS.

Next Timeline