Twitter’s Mobile Phone Integration Is Insecure
For at least a decade now, most hackers moved-on from the desire of having a 15-minute fame for defacing/vandalizing websites and creating a non-destructive virus in order to pull a prank to its users. They want profits these days, which brought us a lot of problems like the growth of ransomware, the birth of cryptojacking malware and increase of phishing attempts through email and instant messaging services.
Most hackers are not interested in taking over an ordinary Joe and Jane’s web services account, just for laughs, as they can instead use the time developing a profitable malware or weaponizing a software bug instead. But that same policy does not apply to celebrities, they are always targeted both in real life by paparazzi and online by any interested party.
Insignia Security, a cybersecurity consulting firm has exposed the weakness of social media accounts. Most especially if the user did not take advantage of the security features it offers, which mostly are not enabled by default. Insignia Security with the intention of exposing the dangers of insecure social media accounts hacked the accounts of Simon Caldera, Eamonn Holmes, Saira Khan, Louis Theroux and other celebrities.
“Back in March, we warned about the issues of using text messages for security. In fact, we warned about using them for pretty much anything! Then in November, we highlighted the same issue again. So what did Twitter do? Well they allowed anyone with your phone number to Tweet from your account. We spoofed commands from those numbers to Twitter, following this handy guide: https://help.twitter.com/en/using-twitter/sms-commands. We used this method to successfully control the targets Twitter account, allowing us to send Tweets, DM’s, retweet and like tweets, follow and unfollow people and much more!”, explained Insignia in their official blog post.
Insignia Security highlights that if they can do this as a private firm, a state-actor backed-up by a country with an agenda involving a celebrity can do this as well. Hijacking of accounts is not rocket science, as demonstrated by Insignia the weakness of using SMS as a way to recover user passwords. The cybersecurity firm also emphasized that potential lives and careers can be destroyed with just hijacking a celebrity’s account and causing reputation irreparable damage.
Their example of targeting a Twitter account, and taking advantage of a ‘feature’ to tweet something under the user’s name via a mobile phone is a weakness that the social media giant, Twitter needs to address. For those that associated their mobile number with their Twitter account, the recommendation is to disassociate the number from the Twitter account. Insignia Security is also demanding Twitter to remove mobile integration from user accounts, as it widens the attack surface instead of further security user’s accounts.
“Twitter should completely remove this functionality as users rely on their phone added to account for two-factor authentication. Twitter should also decouple your phone number — using your number for TFA should not automatically allow you to Tweet from that number, especially with SIM Swap attacks becoming more prevalent,” concluded Insignia Security.