Twitter hackers have diverted new accounts after the company claims to have fixed a bug

Twitter claims to have solved a bug that allowed a group of London-based security researchers to post unauthorized tweets on UK celebrity and journalist accounts. But the hackers who initially revealed the vulnerability say that's it.
A Twitter spokesperson told reporters on Friday that he had "solved a bug that allowed some accounts with a connected UK phone number to be targeted by SMS spoofing." But during a conversation with Gizmodo, hackers who posted unauthorized tweets on celebrity accounts appeared to replicate the experience after Twitter claimed it. The Guardian had already announced that the bug had been solved by quoting the same statement provided to Gizmodo. Pressed for an explanation, Twitter would only say that it is still investigating the issue to make sure its "account security protocols are working as intended". The embezzlement tests are controversial because the account holders, although notified, have not consented to the experiment, which was carried out by a group called Insinia Security. The group stated that he was motivated to demonstrate the existence of the loophole with high level accounts in order to draw attention to the problem. Essentially, the flaw allows anyone to view updates for some accounts enabled by SMS, although the number of accounts that can be linked vulnerable. "We do not believe that US-based account holders represent a significant risk," added Twitter spokesman. Among the accounts hijacked by the researchers, there are some who belong to the Northern Ireland broadcaster, Eamonn Holmes, and the British documentary director, Louis Theroux. "If we can send a text message from what appears to be your number, we can then interact with your Twitter account and control it fully" The method used is to send text messages to Twitter containing orders while usurping the phone number of a user. Unbeknownst to many users, a Twitter account can accept orders via a text message, provided the user knows where to send them. The figures used vary from country to country and come in two forms: longcode, which looks like a normal phone number, and a small code, typically three to five digits. The long code assigned to the UK, where Insinia performed its tests, is +447624800379. The abbreviated number for US based users is 40404. Short codes are not available in all countries. Prior to a change in 2012, long codes can be used by any country in any country, even if its prefix contains an external numbering code (also called "country codes"). There are many applications available online that can be used to "spoof" a phone number, although it may be illegal without consent. Spoof a number allows someone to send messages or make calls that seem to come from another person's phone. After discovering which phone numbers had been used by various celebrities to control their Twitter account, it seems that hackers were able to usurp these numbers and transmit orders. using one of Twitter's long codes.

Twitter said that they had solved the problem, we had not believed them, so we wrote this tweet and retweeted it @insiniasec via sms! – INSINIA LABS (@InsiniaSRT) December 28, 2018

"If we can send SMS from what appears to be your number, we can interact with your Twitter account and control it fully," said Insinia Security. A Twitter spokesman told Gizmodo and other outlets: "We solved a bug that allowed accounts with a connected UK phone number to be targeted by SMS spoofing. will continue to investigate all associated reports to ensure that our account's security protocols are working as intended. "During a private conversation with Gizmodo, hackers appeared to replicate their experience, forcing an account owned by the head of a London-based company financial technology company to retweet a tweet from the BBC. Insinia stated that it verified that the flaw persisted using "multiple accounts". In 2012, Twitter recognized a vulnerability that allowed hackers to perform these types of attacks while claiming that some accounts were immune; namely accounts based in the United States where a shortcode has been assigned. At the time, there was no shortcode for UK users interested in sending SMS commands. In response to the problem, Twitter deployed a PIN code system for users who signed up for the service using a long code. This security measure was not necessary for users in countries with short codes, the company said. An additional step was to disable the ability to use long codes in countries where short code was available.

At one point, the United Kingdom activate several Twitter shortcodesAs a result, it is unclear why a long code works even with UK-based accounts. Insinia stated that until now, its spoofing experience only worked on accounts when it used a long code to transmit the code. orders. It follows that re-deactivating the use of long codes as much as possible would probably solve this problem. However, Insinia told Gizmodo that it was investigating the possibility of misappropriating accounts by methods that can only receive orders by shortcode. We will update the additional information provided by Twitter.