Twitter and Facebook vulnerable to SMS exploit

A security researcher has warned Twitter and Facebook are vulnerable to an SMS exploit capable of sending out unauthorised messages through the social networks.

Security researcher Jonathan Rudenberg reported that the vulnerability affects users who have enabled SMS tweeting and SMS Facebook updates. Rudenberg found that users who do not use verification PINs for SMS-enabled accounts are in danger of a spoofing attack.

"Twitter [and Facebook] users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target's account," Rudenberg wrote in a blog post.

"Messages can then be sent to Twitter [and Facebook] with the source number spoofed. Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."

According to Rudenberg, a hacker would only need to know the phone number attached to a users account. With the phone number in hand a hacker would be able to send messages and make some profile changes, according to Rudenberg findings.

The security researcher said that a quick fix for the issue would be for users to be required to input a PIN for each SMS message sent out. However, he stated that a PIN solution was not available for US residents.

Twitter has fired back at Rudenberg's claims by stating that US users utilise an SMS channel "shortcode" which is impenetrable to spoofing attacks. According to Twitter, the issue of spoofing is only possible on "longcode" SMS channels.

In a blog post on the company's site Twitter said the issue should not be a worry for users on shortcode channels.

UK users are still on longcode channels and Twitter recommends users in longcode countries be sure to enable a SMS messaging PIN.

For its part, Facebook also recommended users enable SMS-messaging verification. In a statement sent into V3, Facebook claimed it had security measures in place for the issue and are continuing to work to improve its security.

"This is a known vulnerability of the SMTP and SMS system, but Facebook will seek to display a warning or reject the message, whenever the sender can not be authenticated," a Facebook spokesperson said in a statement.

"There are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We're working with the industry to develop better standards and practices to close those remaining holes."