FOLLOWING INSINIA’S INTERVENTION, TWITTER FIXES A SECURITY LOOPHOLE SEVEN YEARS AFTER IT WAS WIDELY PUBLICISED

Twitter has fixed a loophole well known to the cybersecurity community some seven years after it was first publicised. The loophole allowed anyone with the users phone number and a simple software tool to tweet from and control Twitter accounts.

This fix has been done following a well publicised demonstration of the loophole where INSINIA SRT (Security Research Team) were able to send a legitimate request to a legitimate third party service who in turn sent a request to Twitter, Twitter then posted to the timelines based on the incoming SMS which allowed indirect tweets to appear on certain celebrities’ Twitter accounts on 27th December 2018. All those affected were notified in advance of INSINIA’s intervention.

The action was taken to highlight the vulnerability for Twitter users and to remind Twitter themselves that this flaw existed. To Twitter’s credit, within 72 hours of INSINIA’’s actions, the loophole was closed and, as a result, all Twitter’s followers can enjoy the service with a much greater level of security.

Although INSINIA’s actions may be seen by a few as controversial, the benefit of the end result speaks for itself. As INSINIA is a professionally responsible and ethically driven organisation, it is most important that the following is clearly understood by those commentators that are not technical experts:

• At NO point were any of the celebrity Twitter accounts “hacked”. There was no access sought or gained to the accounts chosen. As such no private information or account data was seen, compromised or altered.
• Twitter itself was not hacked — what was highlighted was the existence of a large, open door through which prospective malicious entrants could walk. As such there was no breach of Twitter’s usage protocols, no passwords broken / used or security measures undermined.
• No passwords, credentials, personal or confidential information was used throughout this research. This was passive, indirect contact with Twitter’s infrastructure, not with the accounts or users directly.
• All of the celebrities were notified of the steps that would be taken by INSINIA before anything was done. None of those chosen have actively criticised INSINIA’s actions and it would seem the benefit to them and other users is clear.

INSINIA remains committed to publicising flaws in any social media and other platforms that prospectively compromise or allow the public’s data to be stolen, misused or threatened in any way. In so doing, INSINIA will always have regard for the legality and ethical context of the means it deploys to achieve these ends.