All the latest UK technology news, reviews and analysis


Twitter and Facebook vulnerable to SMS exploit

05 Dec 2012
Security padlock image

A security researcher has warned Twitter and Facebook are vulnerable to an SMS exploit capable of sending out unauthorised messages through the social networks.

Security researcher Jonathan Rudenberg reported that the vulnerability affects users who have enabled SMS tweeting and SMS Facebook updates. Rudenberg found that users who do not use verification PINs for SMS-enabled accounts are in danger of a spoofing attack.

"Twitter [and Facebook] users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target's account," Rudenberg wrote in a blog post.

"Messages can then be sent to Twitter [and Facebook] with the source number spoofed. Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."

According to Rudenberg, a hacker would only need to know the phone number attached to a users account. With the phone number in hand a hacker would be able to send messages and make some profile changes, according to Rudenberg findings.

The security researcher said that a quick fix for the issue would be for users to be required to input a PIN for each SMS message sent out. However, he stated that a PIN solution was not available for US residents.

Twitter has fired back at Rudenberg's claims by stating that US users utilise an SMS channel "shortcode" which is impenetrable to spoofing attacks. According to Twitter, the issue of spoofing is only possible on "longcode" SMS channels.

In a blog post on the company's site Twitter said the issue should not be a worry for users on shortcode channels.

UK users are still on longcode channels and Twitter recommends users in longcode countries be sure to enable a SMS messaging PIN.

For its part, Facebook also recommended users enable SMS-messaging verification. In a statement sent into V3, Facebook claimed it had security measures in place for the issue and are continuing to work to improve its security.

"This is a known vulnerability of the SMTP and SMS system, but Facebook will seek to display a warning or reject the message, whenever the sender can not be authenticated," a Facebook spokesperson said in a statement.

"There are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We're working with the industry to develop better standards and practices to close those remaining holes."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
James Dohnert
About

James is a freelance writer and editor. In addition to ClickZ, his work has appeared in publications like V3, The Commonwealth Club, CachedTech.com, and Shonen Jump magazine. He studied Journalism at Weber State University.

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
13%
4%
10%
4%
21%
4%
44%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

VoIP Application Engineer (Telephony, Dialler, TCP, IVR)

VoIP Application Engineer (VoIP Telephony, Dialler, TCP...

IT Development Manager

This is a unique and senior opportunity to establish...

IT Infrastructure Manager

Closing Date: 13/10/2014 Working within a diverse and...

Security Operations Engineer - Identity Assurance Programme

The Government Digital Service (GDS) is part of the Cabinet...
To send to more than one email address, simply separate each address with a comma.