Twitter users who have taken the time to set up tweeting-by-SMS are putting themselves at risk of attacks where anybody can post to their account, according to a team of security researchers.
The security flaw allows attackers to post to a user’s Twitter account with just the knowledge of the mobile number associated with the Twitter account. By simply spoofing the number from which a text is sent, the attacker can easily post to Twitter without the user being alerted.
A bit like email, it’s easy to spoof the “from” number of a text message, and thus trick Twitter into thinking the update is genuine. The researchers also found the same flaw in Facebook, but the issue has been patched by its security team, the researchers say.
Twitter was notified of the problem on November 28, but has yet to roll out a fix. In the meantime, the researchers suggest that users who use the tweet-by-SMS function either enable PIN codes — a service only available in the US — or disable the feature altogether. [Jonathan Rudenberg]