Twitter Accounts Vulnerable to Takeover Through Phone Number Spoofing

Security experts from Insinia Security have once again demonstrated the dangers of using SMS messages as a second factor for authentication and explained the risks of using Twitter’s SMS functionality. While many users may have forgotten about—or never known of—this feature, Twitter can still be accessed and managed via SMS messages, a method that was quite popular in the early days of the service. The main requirement is that your mobile carrier supports this functionality.

Insinia Security specialists remind us that spoofing phone numbers is not a particularly difficult task these days. For example, earlier this year, Instagram developers were forced to introduce new two-factor authentication methods after attackers began hijacking users’ SIM cards en masse, and subsequently, the accounts and identities tied to those numbers. There are many ways to take over someone else’s phone number, ranging from basic social engineering to more technical methods like the “Ghost Telephonist” technique demonstrated at DEF CON and BlackHat conferences.

If attackers gain control of someone’s phone number, the victim faces a host of problems—one of which could be losing access to their Twitter account. Researchers explain that to take over a Twitter account, it’s enough to gain control of or spoof the phone number linked to that account.

“This is a very simple attack using old technology,” the experts write, referring to Twitter via SMS. When sending SMS commands, Twitter does not require any additional validation; it’s enough that the messages come from the phone number associated with the account. This means an attacker can send tweets (including direct messages), add or remove followers, enable or disable notifications, and more.

The researchers demonstrated this attack using the accounts of several volunteers: Simon Calder (journalist at The Independent), Eamonn Holmes (radio and TV presenter), and Louis Theroux (documentary filmmaker, journalist, and TV presenter). By spoofing their phone numbers and sending SMS messages, the experts posted messages on behalf of these individuals stating that their accounts had been temporarily compromised by Insinia Security.

This Problem Is Not New

Unfortunately, this issue is far from new. Recently, experts from AntiSocial Engineer also wrote about it, and well-known security expert Richard De Vere discussed the insecurity of Twitter via SMS on his blog. De Vere notes that this problem has been known to attackers for a long time, and they have not hesitated to target well-known brands using this method. Even worse, articles warning about the dangers of this functionality date back to 2007 and 2009. Attentive readers may recall that De Vere demonstrated this attack to Computer Weekly journalists just last weekend, using this very method to compromise the publication’s Twitter account.

The main challenge today is that many people still link their phone numbers to Twitter, not necessarily to use the SMS service. Twitter’s two-factor authentication (2FA) can be set up via text messages, a dedicated app (like Google Authenticator), or a hardware USB key.

Back in 2016, the U.S. National Institute of Standards and Technology (NIST) released a document stating that using SMS messages for two-factor authentication is “unacceptable” and “insecure.” Security experts have long warned about the risks, as there are many possible attack vectors. For example, attackers can exploit vulnerabilities in the SS7 protocol to intercept messages, perform a SIM swap to reissue the victim’s SIM card in their own name, or even use malware to intercept SMS messages on the device itself.

Despite the risks, most users still prefer SMS-based 2FA because it’s the simplest option. This leaves users with a tough choice: unlink their phone number from their account and lose 2FA protection (but avoid the risk of account takeover via number spoofing), or keep their phone number linked and remain vulnerable to Twitter account hacks. Insinia Security experts believe that Twitter should eliminate SMS-based 2FA altogether to prevent this dangerous situation from continuing.