Unfortunately, ‘researchers‘ at INSINA have essentially developed a 0day to hijack anyone’s Twitter account. Using Twitters own built in command structure, the hack theoretically effects any and all Twitter users whom have attached a phone number to their online accounts, or any user whom enables Two-Factor Authentication (2FA) for those accounts. While it is a bit technical and INSINA did not release their entire methodology to the public, they proved the Proof of Concept (PoC) by hacking the accounts of various international celebrities and public figures by spoofing messages across their timelines.
The hack works by pretending to send messages from a given phone number through a manipulation of Twitters own built in SMS command structure using independent, 3rd party device. Essentially, if the hacker knows your phone number they can send commands to Twitter pretending to come from your phone, faking your identity and compromising the integrity of your timeline. While the hack does not allow hackers to physically gain control over your account, it does allow them to send Tweets and Direct Message’s from it.
I call this a 0Day because according to the researchers themselves, the only way to fix the problem is to “Remove your number from your Twitter account” – that’s it, that’s the only thing you can do, lol. The team has also submitted a list of recommendations to Twitter developers, asking them to decouple peoples phone number from their accounts, or disable a feature allowing people whom enable two-factor authentication from being allowed to publish new tweets to their accounts from that phone. However, especially headed into the future, given that Twitter quite literally often times requires users to provide a phone number to verify their accounts, Twitter is unlikely to enact any of these recommendations any time soon. Meaning that there is no simply or easy fix for this problem, all you can do is remain vigilant and keep auditing your account on a daily basis.
Full List Twitter Commands: https://help.twitter.com/en/using-twitter/sms-commands
Full Research Project from INSINA: https://medium.com/insinia/this-account-has-been-hijacked-temporarily-4909fa190f5d
Categories: Hacking News