US Twitter Users Not Vulnerable To SMS Spoof

A vulnerability in Twitter would allow spoofed posts to a user's account if the account were enabled for SMS updates. Twitter said Tuesday that users in the U.S. are not vulnerable and that users abroad who are should configure their accounts to require a PIN for SMS updates.

Larry Seltzer, Contributor

December 5, 2012

1 Min Read

A vulnerability in Twitter described by security researcher Jonathan Rudenberg does not affect U.S. users according to Twitter's product security engineering manager Moxie Marlinspike.

Twitter allows users to configure their accounts to receive posts and some profile changes via SMS commands sent to a particular code. In the U.S., this is a particular short code, specifically 40404. Elsewhere, a long code might be required. Rudenberg demonstrated how to trick the service into accepting commands from unauthorized sources.

Rudenberg said in a update to his post that Twitter fixed the problem for short code countries and recommends that other users configure their accounts to require a PIN for updates. But in his blog post Tuesday, Marlinspike said that users in countries with short code support, including U.S. users, are not vulnerable, making no reference to fixing the problem.

The posts imply a disagreement over when any fixes were made to Twitter, especially inasmuch as Marlinspike says "...it has been misreported that U.S.-based Twitter users are currently vulnerable to this type of attack." He doesn't specifically attribute such misreporting to Rudenberg.

Rudenberg had found a similar problem for Facebook and Venmo, but those services fixed the vulnerability before Rudenberg went live with his disclosure.

Read more about:

20122012

About the Author(s)

Larry Seltzer

Larry Seltzer

Contributor

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+:

See more from Larry Seltzer
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

cybercrime abstract with two locks
Cyber Resilience
10 Cyber Incident Response Tips From Those Who've Had a Breach and Lived to Tell About It10 Cyber Incident Response Tips
bySara Peters
May 8, 2024
6 Min Read
DNA (deoxyribonucleic acid) strand, illustration.
Data Management
DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?
byRichard Pallardy
May 7, 2024
15 Min Read
Paul Nakasone, former director of the National Security Agency, and a former commander of US Cyber Command, speaks at the RSA Conference 2024.
Cyber Resilience
Four Horsemen of Cyber Reunite at the RSA ConferenceFour Horsemen of Cyber Reunite at the RSA Conference
byJoao-Pierre S. Ruth
May 9, 2024
6 Min Read
Technologist and author Bruce Schneier addresses the crowd at RSA Conference 2024 about the future impacts of AI on democracy.
Machine Learning & AI
Bruce Schneier: 5 Ways AI Could Shake Up DemocracyBruce Schneier: 5 Ways AI Could Shake Up Democracy
byShane Snider
May 8, 2024
6 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now