Hijacking a Twitter (NYSE: TWTR) user’s stream has been accomplished using a very old-school method. Security researchers at Insinia Security hijacked a number of celebrity Twitter accounts in the U.K. by using SMS messages to post tweets in a test of Twitter’s vulnerabilities. The researchers have disclosed the method used so that Twitter could fix it.
The vulnerability is part of a Twitter feature that was introduced back when few people had smartphones. To allow people to tweet from mobile phones that weren’t smartphones, Twitter provided a ‘tweet by SMS’ feature. The text sent to Twitter from the phone number associated with the account would be posted as a tweet.
Insinia’s researchers first acquired phone numbers that were linked to Twitter accounts owned by a number of celebrities and journalists. They then entered the phone number into a spoofing tool, which are available through numerous apps online. Spoofing a number allows someone to make calls and texts appear like they originate from another person’s phone when they really don’t.
The researchers from Insinia Security say that they used celebrity Twitter accounts to draw widespread attention to the vulnerability. The account holders were notified of the test, but the researchers didn’t seek consent from them. Accounts belonging to broadcaster Eamonn Holmes and documentary filmmaker Louis Theroux were among the ones hijacked by the researchers.
The researchers found that only certain SMS-enabled accounts are vulnerable. Those that could be accessed used a longcode for the country, which looks like a normal phone number. It appeared that accounts that used a shortcode, which is typically three to five digits long, were immune to the vulnerability. Accounts based in the US have a shortcode assigned.
In 2012, Twitter acknowledged a vulnerability that allowed hackers to perform these types of attacks. The security researchers showed that the vulnerability still exists despite the social media company claiming that it had closed the loophole. It’s not yet known exactly how many users are impacted.