Twitter claims to have resolved an error that allowed a group of London-based security researchers to send unauthorized tweets to the accounts of British celebrities and journalists. But those hackers who originally revealed the vulnerability say it's completely rubbish.
A Twitter spokesperson told reporters on Friday that it had "fixed a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing." However, during a conversation with Gizmodo, the hackers who posted the unauthorized tweets to the celebrity accounts, appeared to reproduce the experiment after Twitter had made a claim.
The caretaker had reported earlier in the day that the error was resolved and quoted the same statement that was given to Gizmodo. Pressured for an explanation, Twitter will only say that it is still investigating the matter to ensure that "account security protocols work as expected."
Cutting tests are controversial because account holders, while allegedly notified, do not agree with the experiment, which was performed by a group called Insinia Security. The group says it was motivated to demonstrate the existence of the error with high-profile accounts to draw attention to the problem.
In fact, the error makes virtually anyone to post updates to certain SMS-enabled accounts, although it is unclear how many accounts can be vulnerable. "We do not believe there is any significant risk to US account holders," said Twitter's spokesperson.
Among the accounts hijacked by the researchers are those belonging to the broadcaster Eamonn Holmes and the documentary filmmaker Louis Theroux.
"If We can text from what appears to be your number when we can interact with and completely control your Twitter account."
The method used involves sending text messages to Twitter containing commands while spoofering the user's phone number. Unknown to many users, a Twitter account can accept text message commands provided the user knows where to send them. The numbers used vary from country to country and come in two forms: A long code that looks like a regular telephone number, and a short code which is usually three to five numbers long.
The abbreviated long code assigned to the United Kingdom, where Insinia performed its tests, is +447624800379. The card code for US users is 40404.
Card numbers are not available in all countries. Before a change in 2012 the long codes could be used by anyone in any country, even though the prefix contained a foreign disconnection code (also known as "country codes").
There are many apps available online that can be used to "spoof" a phone number, but it can be illegal without consent. Spoofing a number allows someone to send messages or calls that appear to be from another person's phone.
After discovering which phone numbers were used by various celebrities to control their Twitter accounts, the hackers appear to be able to spoof these numbers and send commands using one of Twitter's long codes.
"If we can get text from what appears to be your number, then we can interact with and completely control your Twitter account," Insinia Security said in a now deleted tweet. 19659002] A Twitter spokesperson told Gizmodo and other outlets, "We have resolved an error that allowed specific accounts with a connected UK phone number to be targeted by SMS spoofing. We continue to investigate any related reports to ensure our account security protocols work as expected. "
During a private chat with Gizmodo, the hackers seemed to reproduce the experiment and force an account belonging to the head of a London-based finance technology company to retweet a tweet from the BBC . Insinia said it confirmed the error remains to use "a number of accounts."
In 2012, Twitter recognized a vulnerability that allowed hackers to perform these types of attacks, but said certain accounts were immune; namely, accounts based in the US where a card number had been assigned. At that time, there was no shortcode for UK users interested in sending SMS-based commands.
In response to the problem, Twitter rolled a PIN system for users who had signed up for the service using a long code. This security measure was not necessary for users in countries with short codes, the company said. It took the extra step to disable the ability to use long code in countries where a card number was available.
The UK made several Twitter card codes so it is unclear why a long code still works with UK-based accounts.
Insinia said that so far, the spoofing experiment has only worked on accounts when it used a long code to transfer the commands. It then follows that it will again be possible to solve this problem again by disabling the use of length codes when possible. Insinia told Gizmodo that it is currently investigating a method of hijacking accounts that can only receive commands via card code.
We update with additional information that Twitter gives it.
Featured image: AP