Twitter has partially closed a security hole that allowed anyone to post updates to users' accounts through SMS.
Security researcher Jonathan Rudenberg said he reported the issue to Twitter in August this year, and that the social media network confirmed soon after that it was a known, old problem.
However, Twitter allegedly did not fix the issue until Rudenberg said he would go public with it in November.
The fix applies to Twitter users with SMS short codes but the exploit still exists in those areas that allow posting via non-short-codes, or long phone numbers.
Prior to the fix, all Twitter users with SMS tweeting enabled were vulnerable to the exploit.
If an attacker knew which mobile number was associated with a certain Twitter account, messages could be sent with a spoofed source number, according to Rudenberg.
All Twitter's SMS commands could be used by an attacker, Rudenberg said. This included the ability to tweet as any user, and also change profile information.
The exploit worked because many SMS gateways allowed originating addresses to be set to arbitrary values such as other people's phone numbers.
He noted that Facebook and mobile payments provider Venmo were also vulnerable to the same spoofing attack. Both have since plugged the holes.
Rudenberg recommended that Twitter users enable PIN codes if they're available, or completely disable the mobile text messaging feature for Twitter.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
