Not this Medium account… Celebrity & Verified Twitter accounts, like the ones you read the tweet from!
If you’re reading this then you’ve probably seen some of our research on Twitter, where INSINIA SECURITY successfully hijacked the accounts of a number of celebrities, including Eamonn Holmes & Louis Theroux.
Some of you may know that INSINIA have been highlighting the security issues around text messages and the use of the cell network for authentication, interaction and even communication in everyday life for over 7 years, when INSINIA wrote one of the first tools for spoofing the MSISDN within text messages.
Back in March, we warned about the issues of using text messages for security. In fact, we warned about using them for pretty much anything!
See here: https://www.telegraph.co.uk/technology/2018/03/08/mobile-networks-investigate-flaw-leaves-4g-customers-open-hacking/
Then in November, we highlighted the same issue again:
So what did Twitter do? Well they allowed anyone with your phone number to Tweet from your account.
- We understood the way that Twitter handles incoming texts from your number. If we can text from what appears to be your number then we can interact with, and fully control, your Twitter account.
- We needed numbers! This was surprisingly easy, but we won’t disclose exactly how we did it here.
- We spoofed commands from those numbers to Twitter, following this handy guide: https://help.twitter.com/en/using-twitter/sms-commands
- We used this method to successfully control the targets Twitter account, allowing us to send Tweets, retweet and like tweets, follow and unfollow people and much more!
How it could be abused by nation states, hackers and organised crime groups:
- Ruin the reputations of people & organisations by retweeting offensive/extremist material
- Spread fake news and disinformation via influential celebrities and journalists
- Covertly like tweets so that the likes show up on feeds - again this could be used to like offensive/extremist material to ruin reputations and like fake news and/or products/services from companies to influence the general public
- Send direct messages to trusted contacts in the victims network to socially engineer people into clicking links that will install advanced malware to remotely control devices and monitor the users
- Tweet a link to an attacker controlled site that will silently install malware on users PC, phones or tablet with no user interaction
- Direct message an attacker controlled account with content that could be used to blackmail, harass or harm the victim
Taking this to the next level:
- Enumerate data dumps and harvest valid Twitter accounts
- Socially engineer people to get their account numbers
- Use as a propagation method for malware, virus will look for numbers on the phone, tablet or PC and see if any belong to accounts, if so send a message to all users contacts to infect their network
- Remove your number from your Twitter account
- Twitter should completely remove this functionality as users rely on their phone added to account for two-factor authentication
- Twitter should also decouple your phone number — using your number for TFA should not automatically allow you to Tweet from that number, especially with SIM Swap attacks becoming more prevalent.
READ PART 2 OF THIS BLOG HERE: