blob: c2e552606e3820506ebbd077193f5c2bb0999cf8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
<img border="0" alt="Twitter" title="Twitter" src="http://blog.wired.com/photos/uncategorized/2007/03/16/twitter.png" style="margin: 0px 0px 5px 5px; float: right;" />Got friends on [Twitter][3]? Know their phone number? That's all you need to take over their account and start posting messages in their name.
A similar exploit affects Jott, another service revolving around phone-based updates.
The vulnerability stems from the fact that both services use caller ID to authenticate users, but unfortunately caller ID is notoriously easy to spoof. In fact there's a website designed to do just that -- [fakemytext.com][2]
By spoofing your caller ID, an attacker could post Twitter messages in your name.
Nitesh Dhanjani over at O'Reilly [details the hacks][1] and claims to have successfully exploited the vulnerabilities on both services.
>I tested the Twitter vulnerability by doing the following:
>1. I registered at fakemytext.com, a SMS spoofing service.
2. Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126.
3. I sent the following SMS via fakemytext.com to +44-7781-488126 with the "From" number set to my phone number: "Testing via http://www.fakemytext.com/ . This better not work!"
4. I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user's cell phone number can update that persons Twitter page.
Dhanjani has contacted both services to alert them to the vulnerability and even proposes a solution -- "make the user register and remember a PIN that must precede every SMS." Of course as he points out that comes at the expense of usability.
Regrettably this sort of hack affects not just Twitter and Jott, but any service that uses caller ID as a means of authentication. Dhanjani claims that many cell phone companies, credit card companies, and even banks rely on caller ID information to authenticate users.
[2]: http://www.fakemytext.com/ "Fake My Text"
[1]: http://www.oreillynet.com/onlamp/blog/2007/04/twitter_and_jott_vulnerable_to.html "Twitter and Jott Vulnerable to SMS and Caller ID Spoofing"
[3]: http://blog.wired.com/monkeybites/2007/03/8_cool_twitter_.html "Cool Twitter Tools"
|
