20.5k unique visitors in the last 3 days

SMS Used to Hijack UK Celebrity Twitter Accounts

Some questioned the ethics and legality of the stunt, but it does raise the question of why Twitter still allows users to manage their accounts via SMS.

Security firm INSINIA has scored a lot of publicity for themselves by using SMS messages to exercise control over the Twitter accounts of a few British celebrities, including documentary maker Louis Theroux (as pictured above). Their method involves sending spoofed SMS messages to +447624800379, a number used by Twitter in the UK. The spoofed texts were manipulated to appear as if they originated from the number of the genuine Twitter account holder.

Twitter allows various commands to be executed by SMS, including the posting of new tweets and the sending of direct messages. As INSINIA observes, this could lead to embarrassment and reputation damage for victims. They argue that their publicity stunt was necessary to encourage users to remove their phone numbers from Twitter, and to force Twitter to improve its security, saying the social media network should…

…decouple your phone number  —  using your number for TFA [two factor authentication] should not automatically allow you to Tweet from that number, especially with SIM Swap attacks becoming more prevalent.

Not surprisingly, some parties questioned the ethics and legality of INSINIA’s actions, because the users whose Twitter accounts were commandeered did not give permission beforehand. Kevin Beaumont, winner of “Best EU Security Tweeter” at Infosec18, commented:

Mike Godfrey of Insinia Security argued that no laws had been broken. Godfrey told Sky News:

“We haven’t hacked anything,” he explained, saying that there was simply no authentication processes for the company to have breached, and stressing: “There was no criminal intent, no criminal gain, no traversal, no pivoting, nothing at all.”

Insinia stressed to Sky News that it did not access data, nor did the hijack put any of the Twitter users’ data at risk of being accessed, but merely allowed them to send a message from their account.

Twitter responded by saying they had resolved the ‘bug’ that made some accounts vulnerable to this kind of spoofing. However, this was disputed by others.

Whatever the rights and wrongs of this publicity stunt, we should question why Twitter continues to allow accounts to be controlled by text messages. SMS vulnerabilities are well understood, and there must only be a few Twitter users who manage their accounts via SMS instead of launching the app on their smartphones.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email