A vulnerability in Twitter would allow spoofed posts to a user's account if the account were enabled for SMS updates. Twitter said Tuesday that users in the U.S. are not vulnerable and that users abroad who are should configure their accounts to require a PIN for SMS updates.
Twitter allows users to configure their accounts to receive posts and some profile changes via SMS commands sent to a particular code. In the U.S., this is a particular short code, specifically 40404. Elsewhere, a long code might be required. Rudenberg demonstrated how to trick the service into accepting commands from unauthorized sources.
Rudenberg said in a update to his post that Twitter fixed the problem for short code countries and recommends that other users configure their accounts to require a PIN for updates. But in his blog post Tuesday, Marlinspike said that users in countries with short code support, including U.S. users, are not vulnerable, making no reference to fixing the problem.
The posts imply a disagreement over when any fixes were made to Twitter, especially inasmuch as Marlinspike says "...it has been misreported that U.S.-based Twitter users are currently vulnerable to this type of attack." He doesn't specifically attribute such misreporting to Rudenberg.
Rudenberg had found a similar problem for Facebook and Venmo, but those services fixed the vulnerability before Rudenberg went live with his disclosure.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.