Tuesday, March 10, 2009

Twitter Security Hole Left Accounts Open to Hijack

Micro-blogging service Twitter.com has fixed a vulnerability that until Wednesday night allowed users to create fake posts on other users' Twitter pages, or sign up fellow users for a deluge of potentially wallet-busting text messages.

Twitter is designed to let people blog from their phones, by sending text (aka "short message service" or SMS) messages or "Tweets" that will then appear on the user's Twitter.com home page. Any Twitter users who are "following" or have syndicated that account will then receive updates on their Web sites about what that user is doing. Twitter users can choose to receive updates from other users via their own home page, through their phone, or both.

The authentication weakness allowed anyone who knew your mobile number to spoof messages to your Twitter.com home page so that they appeared to have come from you, provided your mobile phone number was set up to post and/or receive Twitter messages. That's because Twitter determines which home page should display new messages by checking the "sender ID" field, the area in all mobile text messages that includes the sender's telephone number..



More information at http://voices.washingtonpost.com/securityfix/2009/03/twitter_security_h.html?wprss=securityfix

0 comments:

Post a Comment