All the latest UK technology news, reviews and analysis


Twitter and Facebook vulnerable to SMS exploit

05 Dec 2012
Security padlock image

A security researcher has warned Twitter and Facebook are vulnerable to an SMS exploit capable of sending out unauthorised messages through the social networks.

Security researcher Jonathan Rudenberg reported that the vulnerability affects users who have enabled SMS tweeting and SMS Facebook updates. Rudenberg found that users who do not use verification PINs for SMS-enabled accounts are in danger of a spoofing attack.

"Twitter [and Facebook] users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target's account," Rudenberg wrote in a blog post.

"Messages can then be sent to Twitter [and Facebook] with the source number spoofed. Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."

According to Rudenberg, a hacker would only need to know the phone number attached to a users account. With the phone number in hand a hacker would be able to send messages and make some profile changes, according to Rudenberg findings.

The security researcher said that a quick fix for the issue would be for users to be required to input a PIN for each SMS message sent out. However, he stated that a PIN solution was not available for US residents.

Twitter has fired back at Rudenberg's claims by stating that US users utilise an SMS channel "shortcode" which is impenetrable to spoofing attacks. According to Twitter, the issue of spoofing is only possible on "longcode" SMS channels.

In a blog post on the company's site Twitter said the issue should not be a worry for users on shortcode channels.

UK users are still on longcode channels and Twitter recommends users in longcode countries be sure to enable a SMS messaging PIN.

For its part, Facebook also recommended users enable SMS-messaging verification. In a statement sent into V3, Facebook claimed it had security measures in place for the issue and are continuing to work to improve its security.

"This is a known vulnerability of the SMTP and SMS system, but Facebook will seek to display a warning or reject the message, whenever the sender can not be authenticated," a Facebook spokesperson said in a statement.

"There are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We're working with the industry to develop better standards and practices to close those remaining holes."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
James Dohnert
About

James is a freelance writer and editor. In addition to ClickZ, his work has appeared in publications like V3, The Commonwealth Club, CachedTech.com, and Shonen Jump magazine. He studied Journalism at Weber State University.

More on Security
What do you think?
blog comments powered by Disqus
Poll

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?
0%
0%
0%
100%

Popular Threads

Powered by Disqus
Xperia Z2 vs Galaxy Note 3 video review.jpg

Xperia Z2 vs Galaxy Note 3 video review

We pit Sony's 2014 flagship against Samsung's ruling phablet

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Hybris Developer / Solution Designer / Analyst - CONTRACT

Hybris Developer / Hybris Solution Designer / Hybris...

Senior Java Developer

Java Developer required on a permanent for a pioneering...

3rd Line Support Engineer- London- SC Cleared

3rd Line Support Engineer- London- SC CLeared My client...

3rd Line Engineer - Slough - Contract

3rd Line Engineer - Slough - Contract Austin Fraser...
To send to more than one email address, simply separate each address with a comma.