Twitter and SMS Spoofing
By
Wednesday, 5 December 2012
Over the past two days, a few articles have been published about a potential problem concerning the ability to post false updates to another user’s SMS-enabled Twitter account, and it has been misreported that US-based Twitter users are currently vulnerable to this type of attack.
The general concern is that if a user has a Twitter account configured for SMS updates, and an attacker knows that user’s phone number, it could be possible for the attacker to send a fake SMS message to Twitter that looks like it’s coming from that user’s phone number, which would result in a fake post to that user’s timeline.
Most Twitter users interact over the SMS channel using a “shortcode.” In the US, for instance, this shortcode is 40404. Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers.
However, in some countries a Twitter shortcode is not yet available, and in those cases Twitter users interact over the SMS channel using a “longcode.” A longcode is basically just a normal looking phone number. Given that it is possible to send an SMS message with a fake source address to these numbers, we have offered PIN protection to users who sign up with a longcode since 2007. As of August of this year, we have additionally disallowed posting through longcodes for users that have an available shortcode.
It has been misreported that US-based Twitter users are currently vulnerable to a spoofing attack because PIN protection is unavailable for them. By having a shortcode, PIN protection isn’t necessary for US-based Twitter users, because they are not vulnerable to SMS spoofing. We only provide the option for PIN protection in cases where a user could have registered with a longcode that is susceptible to SMS spoofing.
We work hard to protect our users from these kinds of threats and many others, and will continue to keep Twitter a site deserving of your trust.
Posted by Moxie Marlinspike - @moxie
Engineering Manager, Product Security
Did someone say … cookies?
X and its partners use cookies to provide you with a better, safer and
faster service and to support our business. Some cookies are necessary to use
our services, improve our services, and make sure they work properly.
Show more about your choices.