Twitter users who send their tweets through SMS may be exceedingly vulnerable to a newly discovered security glitch.
When a user sends a tweet over text message, anyone who has the mobile user’s phone number can actually post tweets to that person’s feed. They don’t need account information or activation, or even the physical phone to post.
The only way to have this vulnerability exploited is to have text message tweeting allowed and pre-authorized on any given Twitter account. From there, an SMS gateway can be used to spoof a particular phone number (experts say this can be done very easily without any prior experience) and then post the message. You can even change your profile settings and name through SMS, so a hacker can also do that once they know the phone number.
Photo credit: Simon Stratford
The problem comes from the fact that Twitter accepts tweets, no matter where the tweet is coming from, as long as the phone number it’s coming from is already authorized with the account. Twitter doesn’t yet support “short codes,” which are the only thing that guarantee that a text message is being sent over a network and not between two operator services.
Facebook was also subject to this flaw when they first started offering the text message service, and Facebook confirmed with concerned security experts that their flaw has been fixed. However, Twitter has yet to take any steps forward in resolving the same issue with their site.
If you have a Twitter account and have SMS tweeting active, make sure you lock the number with a PIN so that it is required to send any tweets from your phone. There is no easy way to get this pin if it isn’t already known.
Currently, Twitter has nothing to say about this vulnerability.