All the latest UK technology news, reviews and analysis

Twitter and Facebook vulnerable to SMS exploit

05 Dec 2012
Security padlock image

A security researcher has warned Twitter and Facebook are vulnerable to an SMS exploit capable of sending out unauthorised messages through the social networks.

Security researcher Jonathan Rudenberg reported that the vulnerability affects users who have enabled SMS tweeting and SMS Facebook updates. Rudenberg found that users who do not use verification PINs for SMS-enabled accounts are in danger of a spoofing attack.

"Twitter [and Facebook] users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target's account," Rudenberg wrote in a blog post.

"Messages can then be sent to Twitter [and Facebook] with the source number spoofed. Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."

According to Rudenberg, a hacker would only need to know the phone number attached to a users account. With the phone number in hand a hacker would be able to send messages and make some profile changes, according to Rudenberg findings.

The security researcher said that a quick fix for the issue would be for users to be required to input a PIN for each SMS message sent out. However, he stated that a PIN solution was not available for US residents.

Twitter has fired back at Rudenberg's claims by stating that US users utilise an SMS channel "shortcode" which is impenetrable to spoofing attacks. According to Twitter, the issue of spoofing is only possible on "longcode" SMS channels.

In a blog post on the company's site Twitter said the issue should not be a worry for users on shortcode channels.

UK users are still on longcode channels and Twitter recommends users in longcode countries be sure to enable a SMS messaging PIN.

For its part, Facebook also recommended users enable SMS-messaging verification. In a statement sent into V3, Facebook claimed it had security measures in place for the issue and are continuing to work to improve its security.

"This is a known vulnerability of the SMTP and SMS system, but Facebook will seek to display a warning or reject the message, whenever the sender can not be authenticated," a Facebook spokesperson said in a statement.

"There are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We're working with the industry to develop better standards and practices to close those remaining holes."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
James Dohnert

James is a freelance writer and editor. In addition to ClickZ, his work has appeared in publications like V3, The Commonwealth Club,, and Shonen Jump magazine. He studied Journalism at Weber State University.

More on Security
What do you think?
blog comments powered by Disqus

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?

Popular Threads

Powered by Disqus
Sony Xperia Z2 Tablet powered by Android KitKat 4.4

Sony Xperia Z2 Tablet video

We take a look at the lightweight, waterproof tablet

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery


iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Software Development Engineer

Develop: Customise: Configure. Maximise your technical...

Manual Test Analyst /Tester Windows SQL Finance

Manual Test Analyst /Tester Windows SQL Financial Software...

.NET 4.5 Software Engineer C# Visual Studio

.NET 4.5 Software Engineer C# Visual Studio An opportunity...

Senior Project Manager (Software, service, technology, digital

Senior Project Manager (Software, service, technology...
To send to more than one email address, simply separate each address with a comma.