Skip to main content

Security researchers hijack celebrity Twitter accounts, and prove claimed fix failed

Security researchers have hijacked a number of celebrity Twitter accounts – including that of Louis Theroux – to post unauthorized tweets. They have also demonstrated that Twitter’s claimed fix for the problem didn’t work …

Gizmodo reports that the researchers disclosed the method used, so that Twitter could fix it, but the vulnerability still exists despite the social media company claiming that it had closed the loophole.

A Twitter spokesperson told reporters on Friday that it had “resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” But during a conversation with Gizmodo, the hackers who posted the unauthorised tweets to celebrity accounts appeared to reproduce the experiment after Twitter made its claim.

The vulnerability relates to a Twitter feature introduced at a time when smartphones were still relatively rare. In order to allow people to tweet from dumb phones, Twitter offers a ‘tweet by SMS’ feature. Any text sent to Twitter from the phone number associated with the account would be posted as a tweet.

What the researchers managed to do was to spoof the phone numbers, so that texts sent by them would be tweeted on accounts owned by a number of celebrities and journalists.

The researchers from Insinia Security say that they notified the account holders, but didn’t seek consent from them. They say they used celebrity Twitter accounts to draw widespread attention to the vulnerability.

Twitter claimed on Friday that it had ‘resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing,’ but the researchers were able to demonstrate today that the same method still works.

The problem follows close on the heels of a support form flaw which exposed user details such as phone number country code. It was reported that this seemingly limited data was likely used by state-sponsored actors to gain information about Twitter accounts.


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear