Flattr this!

Security expert Jonathan Rudenberg to disclose information about the vulnerability in Facebook, Twitter, Venmo payment system and other services which are linked to the mobile phone number. He has discovered a vulnerability in August 2012 – and notified security departments of the respective companies. Facebook bug fixed November 28, 2012, and promised to pay compensation, but Twitter is slow so far. Since it’s been more than three months, Jonathan Rudenberg considers it possible to disclose the information.

The idea of attack is that if you know the victim’s cell phone, you can send a message to a long number of Twitter through a special gate, forged number in SMS. Many gates can be specified in the message be any phone number or even an arbitrary identifier.

Any user of Twitter is vulnerable to such an attack, if it is linked to your account and your phone number is not set to protect pincode.

Besides fake messages on Twitter, the attacker is able to edit someone else’s profile, tied to the profile of an arbitrary URL, “fouls” arbitrary users, send private messages, and perform other SMS-commands from another’s face.

Jonathan recommends Twitter completely on the use of short codes to receive incoming messages. Usually short numbers not send a message through the gate. Alternatively, you can go to the two-step procedure command execution, that is, after each message is sent to the user confirming the code.