Twitter has partially addressed one of the security vulnerabilities that allowed multiple accounts to be compromised over the last two weeks by temporarily disabling tweeting via SMS.
Since late August, hackers have compromised multiple Twitter accounts including the accounts of Twitter CEO Jack Dorsey, YouTubers Shane Dawson and James Charles, video game streamer BigJigglyPanda, and actress Chloë Grace Moretz.
The accounts were compromised via SIM swapping – a technique where hackers convince carriers to transfer a target’s phone number to a SIM card that they control. In most of these attacks, when the hackers had gained control of their target’s phone number, they used Twitter’s tweet via SMS service to send out tweets from their target’s Twitter account.
From today, tweeting via SMS will be disabled temporarily.
Click here to display content from twitter.com
Twitter Support said it’s making the change because of “vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication” and added that the feature will be reactivated in some markets soon.
Click here to display content from twitter.com
The change means that hackers will no longer be able to exploit the specific vulnerability they were using to send tweets from some of the previously compromised Twitter accounts. However, it does little to address the other vulnerabilities associated with SIM swapping.
Most notably, as Twitter Support says in its tweet, Twitter relies on having a linked phone number for two-factor authentication – a security measure that’s meant to prevent accounts from being taken over. Twitter claims that: “This requirement is in place for account recovery.”
But this requirement also allows hackers who have gained control of a phone number through SIM swapping to then take over the associated Twitter account via this account recovery process.
The announcement of this change from Twitter Support comes hours after it was reported that the phone numbers of over 60% of US Facebook users had been exposed online – another blunder that leaves hundreds of millions of people vulnerable to SIM swapping.