p2pnet news view | Security:- Twitter can be tweeted by hijackers, say numerous reports.

“Twitter, the micro-blogging site, has closed an SMS spoofing security hole which, until Wednesday night, left accounts open to being hijacked,” says H-Online, continuing:

“The vulnerability was due to an authentication weakness that allowed anyone who knew a user’s mobile number to spoof their messages, provided that the user’s mobile number was set up to post and receive Twitter messages.”

Then, “An earlier claim that Twitter had fixed the spoof SMS messages issue has been proven not to apply to the UK and Germany, where an attacker with nothing more than the phone number of a mobile phone associated with a Twitter account can send faked messages that appear as a tweet from the victim,” says a second H-Online story.

“In testing at heise Security in Germany and at The H Security in the UK, we were able to create faked Tkweets, such as this for @heisec and this for @honline, using nothing more than a SMS sender faking service,” it says.

US-based mobile carriers, “have deployed measures in place to prevent SMS spoofing so that the issue involves Twitter gateways outside the US,” says The Register, adding:

“Faked messages involving US numbers sent through these gateways may still pose a problem. Twitter users are advised to use the SMS PIN option to tamper-proof their text message tweets.

“Security researcher Lance James identified the latest vulnerability involving Twitter and SMS spoofing, but the attack vector is not new. Security researcher Nitesh Dhanjani pinpointed a very similar threat to Twitter involving SMS spoofing in April 2007, at which point Twitter introduced PIN protection.”

Adds H-Online:

“In the UK, we had a mobile phone associated with a Twitter account. By taking only the number of the mobile phone and setting it as the sender field on PhonyText then sending an SMS to +447624801423, the UK number for sending SMS tweets, we were able to see our message appear in the tweets on the honline page. We then promptly removed the association between the phone and the Twitter account. An attacker could have created a message directing followers to malware sites, to other risky locations on the web, or posted tweets designed to ruin the reputation of the account owner.”

In January,  “Someone hacked Barack Obama’s Twitter account, report the site’s admins, said p2pnet, going on

” ‘This morning we discovered 33 Twitter accounts had been ‘hacked’,” they blog.

” ‘We immediately locked down the accounts and investigated the issue.’

However, Obama “and others” were soon back in control of their accounts, said Twitter, noting Obama hadn’t logged in since he was elected.

(Cheers, Marc)

H-Online – Twitter closes SMS spoofing hole – Updated, March 6, 2009
H-Online – Twitter spoofing fix fails in UK and Germany, March 6, 2009
The Register – Twitter SMS spoofing still undead, March 6, 2009
p2pnet – Barack Obama’s Twitter account hacked, January 6, 2009

---

Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

This entry was posted on Friday, March 6th, 2009 at 3:36 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

HOME

Viewed 3130 times