diff options
Diffstat (limited to 'old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt')
| -rw-r--r-- | old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt b/old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt new file mode 100644 index 0000000..c2e5526 --- /dev/null +++ b/old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt @@ -0,0 +1,26 @@ +<img border="0" alt="Twitter" title="Twitter" src="http://blog.wired.com/photos/uncategorized/2007/03/16/twitter.png" style="margin: 0px 0px 5px 5px; float: right;" />Got friends on [Twitter][3]? Know their phone number? That's all you need to take over their account and start posting messages in their name. + +A similar exploit affects Jott, another service revolving around phone-based updates. + +The vulnerability stems from the fact that both services use caller ID to authenticate users, but unfortunately caller ID is notoriously easy to spoof. In fact there's a website designed to do just that -- [fakemytext.com][2] + +By spoofing your caller ID, an attacker could post Twitter messages in your name. + +Nitesh Dhanjani over at O'Reilly [details the hacks][1] and claims to have successfully exploited the vulnerabilities on both services. + + +>I tested the Twitter vulnerability by doing the following: + +>1. I registered at fakemytext.com, a SMS spoofing service. +2. Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126. +3. I sent the following SMS via fakemytext.com to +44-7781-488126 with the "From" number set to my phone number: "Testing via http://www.fakemytext.com/ . This better not work!" +4. I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user's cell phone number can update that persons Twitter page. + + +Dhanjani has contacted both services to alert them to the vulnerability and even proposes a solution -- "make the user register and remember a PIN that must precede every SMS." Of course as he points out that comes at the expense of usability. + +Regrettably this sort of hack affects not just Twitter and Jott, but any service that uses caller ID as a means of authentication. Dhanjani claims that many cell phone companies, credit card companies, and even banks rely on caller ID information to authenticate users. + +[2]: http://www.fakemytext.com/ "Fake My Text" +[1]: http://www.oreillynet.com/onlamp/blog/2007/04/twitter_and_jott_vulnerable_to.html "Twitter and Jott Vulnerable to SMS and Caller ID Spoofing" +[3]: http://blog.wired.com/monkeybites/2007/03/8_cool_twitter_.html "Cool Twitter Tools"
\ No newline at end of file |