Twitter is claiming to have resolved a bug that allowed a group of London-based security researchers to post unauthorized tweets to the accounts of British celebrities and journalists. But the hackers who initially disclosed the vulnerability says that’s rubbish.
A Twitter spokesperson told reporters on Friday that it had “resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” However, during a conversation with Gizmodo, the hackers who posted the unauthorized tweets to celebrity accounts appeared able to reproduce the experiment after Twitter made its claim.
The Guardian had reported earlier in the day that the bug had been resolved citing the same statement provided to Gizmodo. Pressed for an explanation, Twitter would only say that it is still investigating the matter to ensure its “account security protocols are functioning as expected.”
The hijacking tests are controversial because the account holders, while reportedly notified, did not consent to the experiment, which was carried out by a group called Insinia Security. The group says it was motivated to demonstrate the flaw’s existence with high-profile accounts in order to draw attention to the problem.
Essentially, the flaw allows virtually anyone to post updates to certain SMS-enabled accounts, though it’s unclear how many accounts may be vulnerable. “We do not believe there is any significant risk to US-based account holders,” Twitter’s spokesperson added.
Among the accounts hijacked by the researchers are ones belonging to Northern Ireland broadcaster Eamonn Holmes and British documentary filmmaker Louis Theroux.
The method used involves sending text messages to Twitter containing commands while spoofing a user’s phone number. Unbeknownst to many users, a Twitter account can accept commands via text message, provided the user knows where to send them. The numbers used vary from country to country and come in two forms: A longcode, which looks like a normal phone number, and a shortcode, which is typically three to five digits long.
To wit, the longcode assigned to the UK, where Insinia performed its tests, is +447624800379. The shortcode for U.S.-based users is 40404.
Shortcodes are not available in every country. Prior to a change in 2012, longcodes could be used by anyone in any country, even if its prefix contained a foreign dial-out code (also known as “country codes”).
There are numerous apps available online that can be used to “spoof” a phone number, though doing so may be illegal without consent. Spoofing a number allows someone to send messages or make calls that appear to originate from another person’s phone. This same phreaking technique is also used to break into voicemail systems.
After uncovering which phone numbers were used by the various celebrities to control their Twitter accounts, the hackers say they were able to spoof the numbers and then transmit commands to their corresponding Twitter accounts using one of Twitter’s longcodes.
“If we can text from what appears to be your number then we can interact with, and fully control, your Twitter account,” Insinia Security said.
A Twitter spokesperson told Gizmodo and other outlets, “We’ve resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing. We’ll continue to investigate any related reports to ensure our account security protocols are functioning as expected.”
During a private chat with Gizmodo, however, the hackers appeared to reproduce their experiment, forcing an account belonging to the head of a London-based financial technology company to retweet a tweet from the BBC. Insinia said it verified the vulnerability had not been fixed from multiple accounts, including one under its own control.
In 2012, Twitter acknowledged a vulnerability that allowed hackers to perform these types of attacks but said certain accounts were immune; namely, accounts based in the U.S. where a shortcode had been assigned. At the time, there was no shortcode for users in the U.K. interested in sending SMS-based commands.
In response to the issue, Twitter rolled out a PIN code system for users who’d signed up for the service using a longcode. This security measure was not necessary for users in countries that had shortcodes, the company said. It took the additional step of disabling the ability to use longcodes in countries where a shortcode was available.
At some point, the U.K. did enable multiple Twitter shortcodes, so it’s unclear why a longcode even still works with U.K.-based accounts.
Insinia said that so far its spoofing experiment only worked on accounts when it used a longcode to transmit the commands. It follows, then, tha disabling the use of longcodes wherever possible (again) would likely solve this problem. Insinia told Gizmodo that it is currently investigating whether there’s a method for hijacking accounts that can only receive commands via shortcode.
We’ll update with additional information as it becomes available.