Twitter and SMS Spoofing

By
Wednesday, 5 December 2012

Over the past two days, a few articles have been published about a potential problem concerning the ability to post false updates to another user’s SMS-enabled Twitter account, and it has been misreported that US-based Twitter users are currently vulnerable to this type of attack.

The general concern is that if a user has a Twitter account configured for SMS updates, and an attacker knows that user’s phone number, it could be possible for the attacker to send a fake SMS message to Twitter that looks like it’s coming from that user’s phone number, which would result in a fake post to that user’s timeline.

Most Twitter users interact over the SMS channel using a “shortcode.” In the US, for instance, this shortcode is 40404.  Because of the way that shortcodes work, it is not possible to send an SMS message with a fake source addressed to them, which eliminates the possibility of an SMS spoofing attack to those numbers.

However, in some countries a Twitter shortcode is not yet available, and in those cases Twitter users interact over the SMS channel using a “longcode.” A longcode is basically just a normal looking phone number.  Given that it is possible to send an SMS message with a fake source address to these numbers, we have offered PIN protection to users who sign up with a longcode since 2007.  As of August of this year, we have additionally disallowed posting through longcodes for users that have an available shortcode.

It has been misreported that US-based Twitter users are currently vulnerable to a spoofing attack because PIN protection is unavailable for them.  By having a shortcode, PIN protection isn’t necessary for US-based Twitter users, because they are not vulnerable to SMS spoofing.  We only provide the option for PIN protection in cases where a user could have registered with a longcode that is susceptible to SMS spoofing.

We work hard to protect our users from these kinds of threats and many others, and will continue to keep Twitter a site deserving of your trust. 

Posted by Moxie Marlinspike - @moxie
Engineering Manager, Product Security