Twitter Vulnerabiliities

by Andy Brudtkuhl on April 11, 2007

Twitter Logo

Twitter and similar service Jott can be exploited very easily – all you need to know is a person’s phone number to take over their account to post phony messages. This hack is made easy because these services rely on caller id for authentication. If you have someones phone number you can send spoof message that looks like it was from someone else.

Nitesh Dhanjani discovered the exploit and notes the process

I tested the Twitter vulnerability by doing the following:

1. I registered at fakemytext.com, a SMS spoofing service.

2. Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126.

3. I sent the following SMS via fakemytext.com to +44-7781-488126 with the “From” number set to my phone number: “Testing via http://www.fakemytext.com/ . This better not work!”

4. I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user’s cell phone number can update that persons Twitter page.

So for all of you out there who both have a twitter account and have your phone number on your website – look out.

Found via MonkeyBites.

Tags: , , ,

If you enjoyed this post, make sure you subscribe to my RSS feed!

Related posts:

  1. Twitter, the fad and the potential Twitter is an increasingly popular web service that allows people...
  2. Twitter Advertising Platform Twittad Launches Advertiser Campaigns If you are not familiar with Twittad – they are...
  3. 11 Twitter Analytics Features I Want To start off, I want to point out that by...
  4. Twittad Launched This Week – Monetizing Twitter Earlier this week Twittad launched a new advertising platform for...
  5. Twitter Deleted My Account Woke up today and went to check out how the...

{ 3 comments… read them below or add one }

Becky Carroll April 11, 2007 at 3:47 pm

Great to know, Andy! In this day and age of identity theft, we need to be extra careful what we do.

Reply

Sarah Turner May 1, 2007 at 5:26 pm

The exact same thing happened to me, but they used a site called hoaxMail (http://www.hoaxmail.co.uk).

Shouldn’t these services be closed down?

Reply

Andy Brudtkuhl May 2, 2007 at 6:53 am

I don’t think they should be shut down. But, they should be used with discretion and with adequate warning to potential users.

I’m staying off the bandwagon. I dont see any good or value from participating.

Reply

Leave a Comment

Previous post:

Next post: