Present a vulnerability in Twitter tweets sent via SMS
Yesterday, coinciding with the 20th anniversary of SMS , commented that this service in addition to popularizing the use of digital mobile telephony worldwide, had been able to make services like Twitter because 140 characters were not coincidental and precisely , matched with the size of a text message. While over the years (and increased penetration of mobile data connections and smartphones) is quite rare tweeting via SMS, it remains a valid path, for example, is used in markets in which the majority remain featured phones. Precisely, this alternative access to Twitter appears to be a vulnerability , according to an expert in the field, could allow a third party to impersonate users who have enabled this option to post to the service.
The charge of publishing this vulnerability has been Rudenberg Jonathan, a security expert who, through his blog , has attracted the attention of users after reporting the problem to Twitter several months ago and have not received a reply, much less have seen a solution to the problem (beyond Twitter’s request not to make public the vulnerability). Apparently, Facebook also had this problem with sending sms messages but after the report in August, the social network Mark Zuckerberg solved the problem last week.
So what’s the problem? What is the vulnerability? This vulnerability, as Rudenberg commented on his blog, affects only users who have enabled the publication of tweets via SMS (with whom they also may even manage profile settings). To enable this option, the user must provide their mobile phone number and, theoretically, Twitter will process only requests from that number, thus presenting a scenario that is apparently safe. However, according to the security expert, a third party with no good intentions could send messages using an intermediate gateway and supplant our phone number, thus controlling our account remotely.
In case you have not enabled the option to send tweets via SMS there is nothing to fear but, if you have it enabled on your account, it may be interesting to put some action to minimize risks. On one hand, the simplest solution is to disable this option while Twitter’s solved (perhaps the most radical) and, on the other hand, in some countries it is possible to activate a security level which, in addition to sending the SMS, it must attach to a security code that certifies and guarantees the authorship tweet but unfortunately not an option to be available in all countries (in the United States, for example, is not something that is offered to the users).
Logically, the risk scenario is small because the attacker must know our phone number and know that we send tweets via SMS (something not very common).Tags: security, sms, Twitter, vulnerability