Security researchers have hijacked a number of celebrities Twitter accounts – including Louis Theroux – to send unauthorized tweets. They have also shown that Twitter's claim that the problem did not work …
Gizmodo reports that the researchers revealed the method used so that Twitter could fix it, but the vulnerability still exists despite social The media company claimed it had closed the loopholes.
A Twitter spokesperson told reporters on Friday that it had "fixed an error that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing." However, during a conversation with Gizmodo, the hackers who posted unauthorized tweets to the celebrity accounts showed that the experiment had been reproduced after Twitter made a claim.
The vulnerability concerns a Twitter feature introduced at a time when smartphones were still relatively rare. To allow people to tweet from silly phones, Twitter offers a "tweet by SMS" feature. Any text sent to Twitter from the phone number associated with the account will be posted as a tweet.
What the scientists were able to do was forge phone numbers so that texts sent by them would be tweeted on accounts owned by a number of celebrities and journalists.
The researchers from Insinia Security say they notified the account holders, but did not seek consent from them. They say they used celebrity Twitter accounts to draw a lot of attention to the vulnerability.
On Friday, Twitter claimed it had "fixed an error that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing", but researchers could demonstrate today that the same method still works.
The problem follows closely on the heels of a support form error that excludes user details such as country code phone number. It was reported that these seemingly limited data were likely used by state-sponsored players for information on Twitter accounts.
Check out 9to5Mac on YouTube for more Apple news: