Twitter is Broken

Twitter by SMS

So let’s get the boring stuff out the way! if you have a phone number connected to your Twitter account you can SMS Twitter and do social media stuff via SMS message. An SMS of ‘RT @Twitter’ sent to 40404 will retweet the last Tweet from Twitter. It’s not just retweeting either! Here is a list of things you can do on Twitter via SMS:

  • ON – Turn on notifications
  • OFF – Turn off notifications
  • FOLLOW – Allows you to follow a username
  • UNFOLLOW – Unfollow a username
  • STOP – Stops notifications, deletes your follower list, and removes your phone number from Twitter.
  • QUIT – Removes the mobile phone from your Twitter account
  • @Twitter Hello – Would reply to them with a ‘Hello’
  • D AntiSocial_Eng – Would send us a DM
  • RT Twitter – Would retweet the last tweet from Twitter.
  • Like Twitter – Will like Twitters last tweet.

Your Twitter by SMS

Our business has tried to raise awareness of the inherent flaws of text messages before, it is not possible to validate the sender of a text message. When Twitter receive an SMS with instructions to update your timeline or you want to perform an action on your account. They receive the message and blindly act upon it. Trusting a flawed messaging protocol. We have also seen this behaviour with emails.

If a criminal wanted to post scams on Twitter they would just have to spoof your phone number and send a message to Twitter. There is no complicated hack. It’s just broken. Want to try this out?

  1. Head to an SMS spoofing service.
  2. Set the SENDER phone number of the Twiter user.
  3. Send the command to a Twitter SMS service number.
  4. Realise that passwords and access control are an optional feature on Twitter.
Computer Weekly allowed us to post a tweet using the above method to their account. They published the screenshot below in a recent post about the matter. We really appreciate the help in helping us prove this issue from the get go.
We were able to post this tweet without any credentials being provided.

Responsible Disclosure

So we are an ethical consultancy, why would we disclose a technique that could be used to spread crypto scams or add to the toolbox of the criminals without giving Twitter the chance to fix it? Well… because Twitter knew and have tried to downplay it, in various guises over an 11 year period. That’s why. So this is not an issue where coordinated disclosure would benefit anyone. The criminals already know and they are not shy of targetting brands with the techniques mentioned in this blog.

So Twitter knew the platform could be abused by scammers?

Yep. I’m going to share some ‘proof’ to back up that claim here, make your own assumptions as I can guarantee they have better lawyers than us:

A security researcher in 2007 brought this forward in an article here.

A very young looking Brian Krebs had the story in the Washington Post in 2009.

By 2010 they started chucking money at Joe Lauer, CEO of a two-man startup called ‘Cloudhopper’. Twitter bought Cloudhopper for an undesclosed sum and with it their experience in SMPP (a protocol to connect SMS with other things)

By December 2012 they were sick of the speculation, publishing an official Twitter blog post on the matter.

So in my opinion they knew about the flaws of SMS and they knew that people could abuse their platform with ease.

Shortcodes + Pins

The pressure to make shortcodes work must have been insane. Twitter introduced the SMS short-code 40404 almost worldwide. The issue started to disappear. They also added the functionality of adding a PIN to the account so a message would require ‘[PIN] + [ACTION]’. It does seem they have forgotten this functionality though – I couldn’t find it anywhere in my account settings. Ultimately this all failed because in 2018 it is still possible to perform these actions through weaker SMS channels.

Broken links here could indicate changes to the platform.

So what exactly can criminals do?

This simple attack could be weaponised to conduct some serious crime sprees. They could send spoofed text messages by the bulk load by uploading a CSV to many services. Criminals could send thousands of direct messages with a phishing link in, spread disinformation.

The worst things?

Publicity Stunts – In August 2019, Jack’s very own account became a victim of this flaw, Tweeting racist nonsense to millions of people.

Journalists/Secret – The scams and financial crimes are serious, I’m not down-playing them. But the most serious issue is it would enable anyone with knowledge of the targets phone number the ability to uncover secret accounts. Although it is not how Twitter was designed to be used, many people link their mobile phone to service to actually increase security on the account. By spoofing the number a distinctive tweet could be sent. By searching for this tweet publically you would be able to link a number to the account. Think journalists that need protection.

Removing SMS 2FA – Removing SMS 2FA has to be the next most important concern, people who have added SMS 2FA do so to extend the security on their accounts. In the UK especially anyone that has added SMS 2FA can have the service removed, against their will, by an attacker. The implementation of Twitter SMS 2FA in the UK is dangerously misleading. In my opinion, it actually lessens the security of the account.

Political Misinformation – By researching what accounts have a phone number associated to the account (possible via password reset info) focussed OSINT could reveal the number of the target and allow you to tweet as them… unlikely to happen you say? Well, it happened to @PressSec before, surely that’s all the PoC needed…

More on that here.

The Fix?

Yeah… there are a few things that could happen here. Occam’s razor would dictate that vulnerable SMS service centres should immediately be discontinued. Thats the simple fix. this is extremely unlikely to occur because it would mean Twitter losing millions of customers that rely on SMS based tweets in countries where a short code number isn’t available.

This patent looks interesting, SMPP forms the backbone of how Twitter by SMS works, ideas like those covered by this patent could help.

Bring back PIN protection on tweets, you tweet a PIN before your command. This shows much promise but is missing from my account here in the UK. It almost seems that they have removed such functionality – despite earlier in 2012 claiming it was protection that should be enabled.

Apply a default ‘SMS Tweets functions are disabled’ setting on all new accounts. So a user has to manually change this should they wish to interact with Twitter via SMS.

Lose some customers to better protect others. This is the last word on the matter from us. Twitter could fix this issue in a heartbeat – disable Twitter by SMS ‘Long codes’, that’s a phone number not a short code. In doing so they would lose a significant proportion of their customer base and affect profits. But that’s the true solution in our opinion – security on the platform first and profits secured on customer bases second.

Edit:

Over the past few weeks we’ve been back and forth with our findings to HackerOne. Both new issues relate to logic flaws in Twitter’s 2012 remediation efforts, users that were previously unable to set an SMS pin will shortly be able to do so with a suggested UI change to add that functionality – users on Three UK should be first in line. Some details were left out of the original blog in order to give Twitter the heads up. After verification these were two brand new issues relating to how Twitter classify their customer numbers and a logic flaw effecting their UK 40404 service we are glad we did.