Over the past two days, a few articles have been published about a potential problem concerning the ability to post false updates to another user’s SMS-enabled Twitter account, and it has been misreported that US-based Twitter users are currently vulnerable to this type of attack.
The general concern is that if a user has a Twitter account configured for SMS updates, and an attacker knows that user’s phone number, it could be possible for the attacker to send a fake SMS message to Twitter that looks like it’s coming from that user’s phone number, which would result in a fake post to that user’s timeline.
Most Twitter users interact over the SMS channel using a “shortcode.” In the US, for instance, this shortcode is 40404. Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers.
However, in some countries a Twitter shortcode is not yet available, and in those cases Twitter users interact over the SMS channel using a “longcode.” A longcode is basically just a normal looking phone number. Given that it is possible to send an SMS message with a fake source address to these numbers, we have offered PIN protection to users who sign up with a longcode since 2007. As of August of this year, we have additionally disallowed posting through longcodes for users that have an available shortcode.
It has been misreported that US-based Twitter users are currently vulnerable to a spoofing attack because PIN protection is unavailable for them. By having a shortcode, PIN protection isn’t necessary for US-based Twitter users, because they are not vulnerable to SMS spoofing. We only provide the option for PIN protection in cases where a user could have registered with a longcode that is susceptible to SMS spoofing.
We work hard to protect our users from these kinds of threats and many others, and will continue to keep Twitter a site deserving of your trust.
Posted by Moxie Marlinspike - @moxie
Engineering Manager, Product Security
Did someone say … cookies?