January 1, 2019 at
Recently, a group of security researchers from London, UK, uncovered a Twitter bug that allowed them to hijack a number of accounts belonging to British journalists and celebrities. After the bug was made public, Twitter claimed that their team managed to fix it, but hackers who initially discovered the flaw claim that this is not true.
According to the hackers, the hack was still possible even after Twitter claimed to have fixed it. After this information became public as well, Twitter had no explanation for the incident, and has only stated that the investigation of the issue was reopened, and currently on-going.
The experiment has raised many eyebrows after reaching the public, as apparently no one notified the account holders, or asked for consent to include them in the experiment. The group responsible for carrying out the experiment is named Insinia Security, and their goal was to disclose the existence of the flaw by hacking accounts which will draw the necessary attention.
How does the flaw work?
The flaw, as many might remember, only includes individuals with a phone number connected to their account. By exploiting the vulnerability, hackers were able to post updates to these SMS-enabled accounts. Other than that, the details are scarce, and it is not clear what is causing the accounts to be vulnerable. In addition, a Twitter spokesperson stated that the flaw is unlikely to affect US-based Twitter users.
It is known that the method of gaining control of other individuals’ Twitter account includes sending certain commands during the spoofing campaign. Many are not even aware that it is possible to interact with Twitter by using text messages. However, those who do know how to use them, where to send them, and what commands to include may gain significant influence over these accounts.
According to reports, there are two types of codes, although they can be different, depending on the country. The longer one is called longcode, and it includes regular phone numbers. However, the shorter one, or shortcode, only includes 3-5 digits. These shortcodes do not exist in every country. Meanwhile, the longcode could be used from any country as long as the country code is included. This was changed in 2012 when the vulnerability was first noticed. Back then, Twitter attempted to respond to the issue by introducing PIN codes for those who have decided to sign up through their longcode.
These days, there exist numerous apps that can spoof phone numbers, which is considered an illegal activity if done without consent. Essentially, spoofing allows anyone to make calls and send messages which appear as if they are coming from another number. This is what hackers did, and all they needed to discover is which phone numbers celebrities used to connect to their Twitter accounts. After that, they managed to spoof said phone numbers and hijack Twitter accounts.
One of the Tweets they posted stated that if they can text from celebrities phone numbers, then they can also take full control of their Twitter. Meanwhile, Twitter continues to claim that the bug was resolved and that further investigation is being conducted. According to hackers themselves, the flaw is still very much present in a number of UK-based accounts.
Furthermore, Insinia stated that their method works thanks to using long code for sending commands. Also, they stated that their researchers are trying to discover if shortcodes can be abused for a similar purpose as well.