Telstra users safe from Twitter SMS flaw

Powered by SC Magazine
 

Others should use PIN protection.

A SMS bug has made it possible to issue spoofed tweets for some Australian Twitter account holders.

An attacker could spoof their number to appear like that owned by their victim and then issue SMS tweets.

In Australia, only Telstra and Azercell subscribers were safe from attack, along with Twitter users who opted to put PIN protection on their accounts.

This was because spoofing was not possible over shortcodes, offered by both Telstra and Azercell (0198089488 and 8800 respectively).

Vulnerable longcodes could not be used where a shortcode was avaliable, Twitter's product security engineering manager Moxie Marlinspike said.

"Given that it is possible to send an SMS message with a fake source address to [shortcodes], we have offered PIN protection to users who sign up with a longcode since 2007.  As of August of this year, we have additionally disallowed posting through longcodes for users that have an available shortcode," he said.

Jonathan Rudenberg discovered the flaw and reported the findings on his blog.

"The same vulnerability also existed in Facebook and Venmo, a mobile payments service for use among friends, but those two companies were more responsive to fixing the issue," Rudenberg said.

He reported the bug to Venmo last Thursday, and it was corrected by Saturday.

Facebook took longer, with the weakness being reported to the social networking giant on 19 August and Rudenberg notified last Wednesday that the hole was plugged.

He ran into more challenges with Twitter which was alerted about the vulnerability on 17 August, but when Rudenberg checked back for an update on 15 October, he never heard back.

He decided last Wednesday to go public with the disclosure, but only referencing Twitter.

Affected users can follow Twitter's guide to set up PIN protection.

Copyright © SC Magazine, Australia


Telstra users safe from Twitter SMS flaw
 
 
 
Top Stories
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
NBN Co to charge developers for fibre
$300 passed on to end-users.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1736

Vote
Do you support the abolition of the Office of the Information Commissioner?