Recently, a group of London based safety researchers here able to hijack Twitter accounts of British celebrities and journalists and posts unauthorized tweets. The social media company have claimed that the vulnerabilities have been fixed, but the hackers are saying this to be a false claim.
Now, it should be stated that these ‘hijacking tests’ conducted by the group - going by the name Insinia Security, isn't ethical per se. They only forwarded a notification to the Twitter account holders that their Twitter handles are subject to hacking and didn’t wait for any consent. They further stated that the motivation behind their actions was to showcase the security flaws in high-profile Twitter accounts.
As explained by the group, the main flaw exploited by the users involves sending text messages to Twitter containing certain commands along with spoofing the user’s phone number. Very few people know this, but Twitter does accept and can be controlled via Text Messages, but the user needs to know where to send them. These numbers depend on where you live and comes in two forms, a long code, and a shortcode.
Twitter in U.K is assigned a long code - +447624800379, which is what Insinia used in their tests. Now getting hands on this number is only half of the equation. Next, you will need to spoof the user’s phone number, but that can be handled with some online application. Although this is illegal, it is very easy. And so you see, how big a security concern this issue really is. All a hacker has to do is uncover the phone number associated with the target’s Twitter account and that’s it.
Shortly after the initial statement from Twitter that the vulnerability had been checked, the hackers went on a private chat with Gizmodo. Here they demonstrated that the issue still persists by retweeting a tweet from the BBC. In response, a spokesperson from Twitter told that they were investigating the matter and ensuring that “account security protocols are functioning as expected.” He further stated, “we do not believe there is any significant risk to US-based account holders.” This is in part because the U.S is assigned a shortcode - 40404.
This isn't the first time a social media website has shown some glaring security vulnerability. What are your opinions on the matter? Also, make sure to follow us on Facebook and Twitter to stay on top of the latest VPN-related news. Thanks!