Twitter users who use their phone's text messaging to tweet are susceptible to an exploit that allows attackers to make unauthorized tweets and changes to the profile, a security researcher has warned.
The attack, according to a blog post published by researcher Jonathan Rudenberg, works so long as a Twitter account is configured to accept SMS messages and doesn't have a personal identification number set up. The added PIN protection isn't available in the US, he said. Attackers who know the phone number associated with an account can then make unauthorized tweets and a variety of profile changes by spoofing the number. The attack exploits the ease of spoofing the originating address of SMS messages.
"Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account," Rudenberg wrote. "The attacker only needs knowledge of the mobile number associated with a target's Twitter account. Messages can then be sent to Twitter with the source number spoofed."