First Twitter Vulnerability

For all you people who are just crazy about Twitter, a vulnerability has been posted that will allow you to post to someone else’s twitter account. Since twitter uses caller id to authenticate users, it is very easy to post to someone else’s account since it is so easy to spoof the caller id number. Fakemytext.com is just one example of a site that will help you do just that.

Got friends on Twitter? Know their phone number? That?s all you need to take over their account and start posting messages in their name.

A similar exploit affects Jott, another service revolving around phone-based updates.

The vulnerability stems from the fact that both services use caller ID to authenticate users, but unfortunately caller ID is notoriously easy to spoof. In fact there?s a website designed to do just that ? fakemytext.com

By spoofing your caller ID, an attacker could post Twitter messages in your name.

Nitesh Dhanjani over at O?Reilly details the hacks and claims to have successfully exploited the vulnerabilities on both services. Source: Twitter Vulnerability: Spoof Caller ID To Take Over Any Account

The vulnerability was first detailed on the Oreilly.net website:

  1. I registered at fakemytext.com, a SMS spoofing service.
  2. Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126.
  3. I sent the following SMS via fakemytext.com to +44-7781-488126 with the ?From? number set to my phone number: ?Testing via http://www.fakemytext.com/ . This better not work!?
  4. I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user?s cell phone number can update that persons Twitter page.

Source: Twitter and Jott Vulnerable to SMS and Caller ID Spoofing

Jott, a service that allows people to update people on important events is also vulnerable, as well as any other sites that use some form of authentication using caller id. The writers suggest a pin number to keep people from being able to exploit this.

I have created a Twitter page for security notifications and updates here, security.

Added: Just finished reading the comments on the Oreilly site, an engineer from Twitter chimes in and he’s not too happy about the disclosure.

I don’t think we were given nearly enough time to respond before this article was published, but that’s my personal opinion and not the opinion of Obvious.

It doesn’t take a genius to see that if every SMS-based application out there is vulnerable to spoofing, it’s probably a protocol-level flaw.

That said, doing the research involved to make a security recommendation to the mobile carriers would have taken real effort on the part of the author. Why bother when cheap hacks like this are easy and fun?

So, the Twitter engineer thinks the author should’ve tried to change how caller id works instead of posting the disclosure and letting everyone know it is possible. I think he’s been up to late working on a solution to something they should have tested to start with, was no one thinking about security when this was setup? The author in reply said,

SMS was never designed to be used for authentication, just as the From: address in a email was never designed to be something to authenticate against.

And he is correct. As far as I know, caller id was just to let people know who called or are calling, kind of like looking through the peephole when someone knocks at your door, it wasn’t designed to give people access to something. That’s like someone knocking on your door, seeing the peephole and walking on in because they must know who you are. Grow up and take some responsibility for your applications.