Twitter SMS bug lets hackers tweet via other users' accounts

The security consultant says someone could easily spoof an originating SMS number and post messages to another person's Twitter account. Facebook has apparently already addressed the flaw in regard to its site.

Don Reisinger
Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
2 min read

Twitter users who post tweets to their feeds via SMS could be vulnerable to a security flaw, according to a security consultant.

Jonathan Rudenberg yesterday posted to his blog an SMS vulnerability he discovered in Twitter that allows anyone who has knowledge of someone's mobile number to post tweets to that person's feed.

In order for the vulnerability to be exploited, victims must have SMS tweeting authorized on their accounts. From there, the would-be poster needs only to spoof their actual mobile number through an SMS gateway -- something Rudenberg says can be done very easily -- and then post a message. Twitter also lets folks change profile settings through SMS, leaving that information open to hacking as well.

Twitter's issue is that it automatically accepts tweets from an originating address "implicitly," according to Rudenberg. In addition, in some countries, Twitter doesn't support short codes, which ensure a message is transmitted only over one carrier's network and not between two operator services.

According to Rudenberg, Facebook was also subject to the SMS flaw. He contacted both Twitter and Facebook in August, and received confirmation last week from Facebook that it had resolved the issue. Twitter initially asked him to not disclose the vulnerability until it could solve the problem, but so far, it hasn't been addressed.

Still, there are ways around it. As Rudenberg points out, Twitter does allow users to input a PIN that would need to be used prior to sending a tweet via SMS. Assuming the would-be poster doesn't know what that PIN is, the victim is safe. PINs are not supported in the U.S., according to Rudenberg.

Despite the vulnerability's existence, Rudenberg provided no evidence of anyone actually exploiting it.

CNET has contacted Twitter for comment on the report. We will update this story when we have more information.