Twitter SMS security hole


In my Twitter stream yesterday I noticed that one of the people I follow had written a tweet with only one word, it was “Gnarf”. I have seen the word before but did not really know what it meant so I thought it was time to look it up. After looking up the word I posted a link to the description. After some minutes I noticed the following tweet sent from my account:

I did not send that tweet, was my account hacked?

Hacked, yes and no

What drew my attention was that it was sent via “txt”. For some reason I have enabled the possibility to tweet by sending in SMS to Twitter via a local phone number (this function might not be enabled in your country). So my conclusion was that the tweet wasn’t a result of a rogue application. So someone/something could pretend to be my mobile phone when sending SMS. I have been working quite a lot with SMS services so my first thought was that someone simply changed the sender address in some type of SMS software solution. Sending SMS from a web interface is pretty simple. You need a account at some SMS provider  and then with the help of a couple of lines of code you are up and running. Setting the from phone number is something most of this services have enabled and the from phone number is what Twitter uses when verifying SMS/tweets sent from mobile devices.

Could it be that simple?

Yes, it was. So by knowing someones mobile phone number I can now send SMS into Twitter and post as that user.
Besides knowing the users number you need to know if the user actually enabled SMS tweeting. So it is a bit of trial and error before you can start tweeting as someone else.

Can I protect myself?

Yes, disable the SMS all in all or enable the PIN option. With the PIN option you need to prefix all SMS with your PIN code.

What can Twitter do?

They could disable the open SMS tweet function (only allowing PIN SMS). Keeping it open will keep the hole open. The reason for this is that Twitter can’t see if the SMS is from a physical device or from a software generated solution. I would suggest that you think twice before enabling SMS tweets without the PIN function.

Thanks to @claes who Gnarf:ed me and made me look into this. He obviously knew about this long before me. I am not sure if he does it the same way as me. I’ll need to ask him about that ;-).

BTW: This is what I found about Gnarf – For some fun you should read beyond the first definitions.

Enhanced by Zemanta