For those that aren’t aware of ‘The AntiSocial Engineer Limited’, we are a small cybersecurity consultancy that is trying to reduce the number of online victims of cybercrime. Nothing makes us happier than when organisations do their bit in the fight against online crime. Our business was founded because we wanted to help the police to operate without being swamped with the low-level cyber-enabled crimes they currently are. Policing forces don’t have adequate resources to investigate serious offences, because of all the phishing, scams and minor financial crime and social engineering takes up the majority of their time. We wanted to form a business that would tackle these minor issues… help to reduce online crime to lighten the load… we found our niche approach to security was valued by our clients who also wanted to stay secure and minimise crimes in a corporate setting, helping companies aligned perfectly with our aims.
So, I’m not a natural writer, but I want to explain to readers just why I feel so strongly about this vulnerability and why I would tell everyone exactly how to perform these actions and not
Twitter by SMS
So let’s get the boring stuff out the way! if you have a phone number connected to your Twitter account you can SMS Twitter and do social media stuff via SMS message. An SMS of ‘RT @Twitter’ sent to 40404 will retweet the last Tweet from Twitter. It’s not just retweeting either! Here is a list of things you can do on Twitter via SMS:
- ON – Turn on notifications
- OFF – Turn off notifications
- FOLLOW – Allows you to follow a username
- UNFOLLOW – Unfollow a username
- STOP – Stops notifications, deletes your follower list, and removes your phone number from Twitter.
- QUIT – Removes the mobile phone from your Twitter account
- @Twitter Hello – Would reply to them with a ‘Hello’
- D AntiSocial_Eng – Would send us a DM
- RT Twitter – Would retweet the last tweet from Twitter.
- Like Twitter – Will like Twitters last tweet.
Your Twitter by SMS
Our business has tried to raise awareness of the inherent flaws of text messages before, it is not possible to validate the sender of a text message. When Twitter receive an SMS with instructions to update your timeline or you want to perform an action on your account. They receive the message and blindly act upon it. Trusting a flawed messaging protocol. We have also seen this behaviour with emails.
If a criminal wanted to post scams on Twitter they would just have to spoof your phone number and send a message to Twitter. There is no complicated hack. It’s just broken. Want to try this out?
- Head to an SMS spoofing service.
- Set the SENDER phone number of the Twiter user.
- Send the command to a Twitter SMS service number.
- Realise that passwords and access control are an optional feature on Twitter.
So we are an ethical consultancy, why would we disclose a technique that could be used to spread crypto scams or add to the toolbox of the criminals without giving Twitter the chance to fix it? Well… because Twitter knew and have tried to downplay it, in various guises over an 11 year period. That’s why. So this is not an issue where coordinated disclosure would benefit anyone. The criminals already know and they are not shy of targetting brands with the techniques mentioned in this blog.
So Twitter knew the platform could be abused by scammers?
Yep. I’m going to share some ‘proof’ to back up that claim here, make your own assumptions as I can guarantee they have better lawyers than us:
A security researcher in 2007 brought this forward in an article here.
A very young looking Brian Krebs had the story in the Washington Post in 2009.
By 2010 they started chucking money at Joe Lauer, CEO of a two-man startup called ‘Cloudhopper’. Twitter bought Cloudhopper for an
By December 2012 they were sick of the speculation, publishing an official Twitter blog post on the matter.
Shortcodes + Pins
The pressure to make shortcodes work must have been insane. Twitter introduced the SMS short-code 40404 almost worldwide. The issue started to disappear. They also added the functionality of adding a PIN to the account so a message would require ‘[PIN] + [ACTION]’. It does seem they have forgotten this functionality though – I couldn’t find it anywhere in my account settings. Ultimately this all failed because in 2018 it is still possible to perform these actions through weaker SMS channels.
So what exactly can criminals do?
This simple attack could be weaponised to conduct some serious crime sprees. They could send spoofed text messages by the bulk load by uploading a CSV to many services. Criminals could send thousands of direct messages with a phishing link in, spread disinformation.
The worst things?
Journalists/Secret – The scams and financial crimes are serious, I’m not down-playing them. But the most serious issue is it would enable anyone with knowledge of the targets phone number the ability to uncover secret accounts. Although it is not how Twitter was designed to be used, many people link their mobile phone to service to actually increase security on the account. By spoofing the number a distinctive tweet could be sent. By searching for this tweet publically you would be able to link a number to the account. Think journalists that need protection.
Removing SMS 2FA – Removing SMS 2FA has to be the next most important concern, people who have added SMS 2FA do so to extend the security on their accounts. In the UK especially anyone that has added SMS 2FA can have the service removed, against their will, by an attacker. The implementation of Twitter SMS 2FA in the UK is dangerously misleading. In my opinion, it actually lessens the security of the account.
Political Misinformation – By researching what accounts have a phone number associated to the account (possible via password reset info) focussed OSINT could reveal the number of the target and allow you to tweet as them… unlikely to happen you say? Well, it happened to @PressSec before, surely that’s all the PoC needed…
Yeah… there are a few things that could happen here. Occam’s razor would dictate that vulnerable SMS service centres should immediately be discontinued.
This patent looks interesting, SMPP forms the backbone of how Twitter by SMS works, ideas like those covered by this patent could help.
Bring back PIN protection on tweets, you tweet a PIN before your command. This shows much promise but is missing from my account here in the UK. It almost seems that they have removed such functionality – despite earlier in 2012 claiming it was protection that should be enabled.
Apply a default ‘SMS Tweets functions are disabled’ setting on all new accounts. So a user has to manually change this should they wish to interact with Twitter via SMS.
Lose some customers to better protect others. This is the last word on the matter from us. Twitter could fix this issue in a heartbeat – disable Twitter by SMS ‘Long codes’, that’s a phone number not a short code. In doing so they would lose a significant proportion of their customer base and affect profits. But that’s the true solution in our opinion – security on the platform first and profits secured on customer bases second.