diff options
Diffstat (limited to 'old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt')
| -rw-r--r-- | old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt b/old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt deleted file mode 100644 index c2e5526..0000000 --- a/old/published/Webmonkey/Monkey_Bites/2007/04.09.07/Wed/twitterhack.txt +++ /dev/null @@ -1,26 +0,0 @@ -<img border="0" alt="Twitter" title="Twitter" src="http://blog.wired.com/photos/uncategorized/2007/03/16/twitter.png" style="margin: 0px 0px 5px 5px; float: right;" />Got friends on [Twitter][3]? Know their phone number? That's all you need to take over their account and start posting messages in their name. - -A similar exploit affects Jott, another service revolving around phone-based updates. - -The vulnerability stems from the fact that both services use caller ID to authenticate users, but unfortunately caller ID is notoriously easy to spoof. In fact there's a website designed to do just that -- [fakemytext.com][2] - -By spoofing your caller ID, an attacker could post Twitter messages in your name. - -Nitesh Dhanjani over at O'Reilly [details the hacks][1] and claims to have successfully exploited the vulnerabilities on both services. - - ->I tested the Twitter vulnerability by doing the following: - ->1. I registered at fakemytext.com, a SMS spoofing service. -2. Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126. -3. I sent the following SMS via fakemytext.com to +44-7781-488126 with the "From" number set to my phone number: "Testing via http://www.fakemytext.com/ . This better not work!" -4. I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user's cell phone number can update that persons Twitter page. - - -Dhanjani has contacted both services to alert them to the vulnerability and even proposes a solution -- "make the user register and remember a PIN that must precede every SMS." Of course as he points out that comes at the expense of usability. - -Regrettably this sort of hack affects not just Twitter and Jott, but any service that uses caller ID as a means of authentication. Dhanjani claims that many cell phone companies, credit card companies, and even banks rely on caller ID information to authenticate users. - -[2]: http://www.fakemytext.com/ "Fake My Text" -[1]: http://www.oreillynet.com/onlamp/blog/2007/04/twitter_and_jott_vulnerable_to.html "Twitter and Jott Vulnerable to SMS and Caller ID Spoofing" -[3]: http://blog.wired.com/monkeybites/2007/03/8_cool_twitter_.html "Cool Twitter Tools"
\ No newline at end of file |