Twitter Vulnerability: Spoof Caller ID To Take Over Any Account
Got friends on Twitter? Know their phone number? That’s all you need to take over their account and start posting messages in their name.
A similar exploit affects Jott, another service revolving around phone-based updates.
The vulnerability stems from the fact that both services use caller ID to authenticate users, but unfortunately caller ID is notoriously easy to spoof. In fact there’s a website designed to do just that — fakemytext.com
By spoofing your caller ID, an attacker could post Twitter messages in your name.
Nitesh Dhanjani over at O’Reilly details the hacks and claims to have successfully exploited the vulnerabilities on both services.
I tested the Twitter vulnerability by doing the following:
- I registered at fakemytext.com, a SMS spoofing service.
- Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126.
- I sent the following SMS via fakemytext.com to +44-7781-488126 with the “From” number set to my phone number: “Testing via http://www.fakemytext.com/ . This better not work!”
- I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user’s cell phone number can update that persons Twitter page.
Dhanjani has contacted both services to alert them to the vulnerability and even proposes a solution — “make the user register and remember a PIN that must precede every SMS.” Of course, as he points out, the increased security comes at the expense of what is arguably the reason for Twitter’s recent explosive growth — ease-of-use.
Regrettably this sort of hack affects not just Twitter and Jott, but any service that uses caller ID as a means of authentication. Dhanjani claims that many cell phone companies, credit card companies, and even banks rely on caller ID information to authenticate users.