All the latest UK technology news, reviews and analysis

Twitter and Facebook vulnerable to SMS exploit

05 Dec 2012
Security padlock image

A security researcher has warned Twitter and Facebook are vulnerable to an SMS exploit capable of sending out unauthorised messages through the social networks.

Security researcher Jonathan Rudenberg reported that the vulnerability affects users who have enabled SMS tweeting and SMS Facebook updates. Rudenberg found that users who do not use verification PINs for SMS-enabled accounts are in danger of a spoofing attack.

"Twitter [and Facebook] users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target's account," Rudenberg wrote in a blog post.

"Messages can then be sent to Twitter [and Facebook] with the source number spoofed. Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number."

According to Rudenberg, a hacker would only need to know the phone number attached to a users account. With the phone number in hand a hacker would be able to send messages and make some profile changes, according to Rudenberg findings.

The security researcher said that a quick fix for the issue would be for users to be required to input a PIN for each SMS message sent out. However, he stated that a PIN solution was not available for US residents.

Twitter has fired back at Rudenberg's claims by stating that US users utilise an SMS channel "shortcode" which is impenetrable to spoofing attacks. According to Twitter, the issue of spoofing is only possible on "longcode" SMS channels.

In a blog post on the company's site Twitter said the issue should not be a worry for users on shortcode channels.

UK users are still on longcode channels and Twitter recommends users in longcode countries be sure to enable a SMS messaging PIN.

For its part, Facebook also recommended users enable SMS-messaging verification. In a statement sent into V3, Facebook claimed it had security measures in place for the issue and are continuing to work to improve its security.

"This is a known vulnerability of the SMTP and SMS system, but Facebook will seek to display a warning or reject the message, whenever the sender can not be authenticated," a Facebook spokesperson said in a statement.

"There are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We're working with the industry to develop better standards and practices to close those remaining holes."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
James Dohnert

James is a freelance writer and editor. In addition to ClickZ, his work has appeared in publications like V3, The Commonwealth Club,, and Shonen Jump magazine. He studied Journalism at Weber State University.

More on Security
What do you think?
blog comments powered by Disqus

Microsoft Azure outage

Is cloud computing reliable enough for business yet?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

IT Systems Administrator - Warrington, £40k - £45k basic, Concept

IT Systems Administrator - Birchwood, Warrington, £40k...

Web Developer - £35k - £40k, Manchester city centre, PHP, MVC, Python

PHP Web Developer - Manchester city centre, £35k - £40k...

IT Support - £17k - £19k basic + benefits package, Chorley

IT Support - £17k - £19k basic + benefits package, Chorley...

Wintel Senior Support Engineer

Primary Location: UK-Scotland-Motherwell-North Lanarkshire...
To send to more than one email address, simply separate each address with a comma.