Security firm INSINIA has scored a lot of publicity for themselves by using SMS messages to exercise control over the Twitter accounts of a few British celebrities, including documentary maker Louis Theroux (as pictured above). Their method involves sending spoofed SMS messages to +447624800379, a number used by Twitter in the UK. The spoofed texts were manipulated to appear as if they originated from the number of the genuine Twitter account holder.
Twitter allows various commands to be executed by SMS, including the posting of new tweets and the sending of direct messages. As INSINIA observes, this could lead to embarrassment and reputation damage for victims. They argue that their publicity stunt was necessary to encourage users to remove their phone numbers from Twitter, and to force Twitter to improve its security, saying the social media network should…
…decouple your phone number — using your number for TFA [two factor authentication] should not automatically allow you to Tweet from that number, especially with SIM Swap attacks becoming more prevalent.
Not surprisingly, some parties questioned the ethics and legality of INSINIA’s actions, because the users whose Twitter accounts were commandeered did not give permission beforehand. Kevin Beaumont, winner of “Best EU Security Tweeter” at Infosec18, commented:
I think the message here is UK cyber companies can openly flout the Computer Misuse Act to hack celebrities because it’s only being applied to teenagers. https://t.co/DDSOqJLG7Z
— Kevin Beaumont (@GossiTheDog) December 29, 2018
Mike Godfrey of Insinia Security argued that no laws had been broken. Godfrey told Sky News:
“We haven’t hacked anything,” he explained, saying that there was simply no authentication processes for the company to have breached, and stressing: “There was no criminal intent, no criminal gain, no traversal, no pivoting, nothing at all.”
Insinia stressed to Sky News that it did not access data, nor did the hijack put any of the Twitter users’ data at risk of being accessed, but merely allowed them to send a message from their account.
Twitter responded by saying they had resolved the ‘bug’ that made some accounts vulnerable to this kind of spoofing. However, this was disputed by others.
If you are reading this Twitter still has not fixed the bug that allows us
to spoof an SMS. There is also no way for us to set an SMS pin.
— The AntiSocial Engineer (@antisocial_eng) December 30, 2018
Whatever the rights and wrongs of this publicity stunt, we should question why Twitter continues to allow accounts to be controlled by text messages. SMS vulnerabilities are well understood, and there must only be a few Twitter users who manage their accounts via SMS instead of launching the app on their smartphones.