Posted on December 24, 2018 at 10:03 AM
New Twitter Vulnerability Lets Hackers’ Tweet on Other People’s Behalf
After numerous social network hacks, especially when it comes to Facebook, many have started paying additional attention to the security of social platforms. Because of this, a British security researcher recently managed to discover a serious flaw on Twitter.
An individual in question is Richard De Vere, a security researcher for an ethical hacking company, The Antisocial Engineer. According to his report, the Twitter flaw can be exploited and used for sending tweets from other people’s accounts. The flaw is actually very easy to exploit, and he supposedly worked out how to do it within minutes. It is not a complicated hack, but a simple flaw in the code.
How does the flaw work?
According to De Vere’s report, the flaw can expose any account that has an associated mobile phone number. All that hackers really need is the knowledge of what the number is, and they will be able to send tweets, post images or videos, retweet content, and even send private messages. Not only that, but they can also get access to security settings, which allows them to turn the two-factor authentication off. That way, the real owner of Twitter account would never get a warning of someone trying to access their Twitter.
After discovering the flaw, De Vere demonstrated it to others by posting tweets from accounts he did not have previous access to. He also reported the details of the hack to a security testing firm HackerOne. HackerOne is also a company that runs bug bounty programs for Twitter and takes note of all potential flaws on the platform.
For now, the details about how the hack is performed remain unknown, as the vulnerability still needs fixing. Of course, it is still possible that some hackers may be aware of the bug, as De Vere himself has suggested. According to him, this might be the flaw that that was used for performing Twitter scams. Especially in cases where high-profile accounts tweeted fake promotions and then claimed no knowledge about it.
So far, multiple other researchers learned about the flaw, many of which have identified it as a serious vulnerability. One of them is Byte’s CEO, Ed Tucker. Tucker was HM Revenue & Customs’ former head of IT security, and he explained why such a flaw might be extremely dangerous. As an example, he said that a hacker might collect 10,000 phone numbers, and access just as many profiles, some of which may even be influential. If a said hacker used this to tweet about a BTC scam or some fake news, the number of repeats will definitely trick large amounts of people.
Imagine if, say, you used 10,000 phone numbers with this vulnerability, and then wrote a tweet about something, maybe a bitcoin scam, or maybe some fake news. Then every one of those phone numbers that was associated with a twitter account would tweet the same message.
— Ed Tucker (@Teddybreath) December 21, 2018
Because of this, researcher praised The Antisocial Engineer and De Vere’s decision to quickly expose the flaw. He also acknowledges that it is not possible to reveal such flaws to Twitter without reporting it to HackerOne.
De Vere himself also added that there is a possibility that Twitter will struggle with this issue quite a bit. Resolving it might mean switching off an important functionality on a world-wide scale. However, he still believes that Twitter can do it in a short while.
Scams and hacking attacks are more popular than ever on social networks and the internet in general. One such scam has allowed hackers to steal thousands of dollars, simply by posing as Elon Musk and tweeting about a Bitcoin scheme.