At the end of last week, the Twitter account of Jack Dorsey, Twitter’s CEO, was hacked. Now, the developers of Twitter said that they decided to disable sending messages via SMS.[dropcap]H[/dropcap]aving compromised the Dorsey account, the attackers began to publish offensive and racist content on behalf of Dorsey, and even claimed that a bomb was planted at the company’s headquarters. Chuckle Gang hack group claimed responsibility for this attack.
According to official figures, the attack occurred due to an oversight of the mobile operator, which was compromised and allowed an unauthorized person to use the Dorsi phone number to send SMS messages.
After hacking into the Dorsey account, Twitter developers disabled the functionality of sending tweets via SMS.
“We’re temporarily turning off the ability to Tweet via SMS, or text message, to protect people’s accounts.We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this)”, — reported in Twitter Support service.
The fact is that until recently, Twitter could be used via SMS messages, which was quite popular at the start of the service. The main condition is that this functionality is supported by the telecom operator. Once upon a time, a limit of 140 characters appeared precisely because of this: because of the maximum length of SMS messages.
About this “weakness” Twitter was aware for a long time. Therefore, at the end of 2018, Insinia Security experts warned about dangers of using SMS messages as the second factor for authentication and explained why fraught with the use of Twitter functionality via SMS. Even worse, there are articles on the dangers of this functionality dated 2007 and 2009 on the net.
The problem is that in recent years, cybercriminals have increasingly “stolen” user SIM cards by implementing the so-called SIM swap. The essence of such attacks is that the criminal addresses the representatives of the victim’s mobile operator and uses social engineering.
For example, pretending to be the real owner of the number, the attacker claims to loose or broke the SIM card and tries to transfer the number to the new SIM card. Next, the attackers steal accounts tied to the phone number, effectively stealing other people’s identities. Such attacks are often used to steal large amounts of cryptocurrency or to compromise expensive Instagram accounts.
It is emphasized that disabling sending of tweets via SMS is temporary, however, the timing of the resumption of this function is not yet called.[box]Interestingly, at the same time, developers to some extent shift the blame on mobile operators, noting that they need to fix vulnerabilities on their side.[/box]