Security researcher finds SMS vulnerability in social media sites

Dec 05, 2012 by Bob Yirka report

(Phys.org)—Jonathan Rudenberg a self described security consultant, developer and researcher has been heavily involved in stamping out an SMS messaging vulnerability he found in Facebook, Venmo and Twitter. He has been posting his efforts on his blog and says that all three companies have finally fixed the problem.

Rudenberg says the allowed to spoof messages from the services if they obtained the associated with an account. is where hackers send messages that appear to be from the true account holder – most users of have seen examples of spoofed messages in their spam folders. He apparently became aware of the vulnerability in all three services sometime last summer and has been trying to get all three to fix the problem. was the last to do so, having only notified him that the problem had been fixed December 4.

With Twitter the problem came about when users configured their account to accept SMS messages and also didn't have a set up for the account. To spoof a message, hackers would only need to know the phone number that had been associated with the account. Also because of the way Twitter accounts are set up, knowing the phone number would also allow hackers to change profile account information.

Rudenberg says he notified Twitter and Facebook that he had found the vulnerability last August and Venmo in November. He was only able to get through to Facebook, he says because he has a friend working with the company. Facebook let him know they'd fixed the problem in November, and Rudenberg will be receiving a bounty check from the company for his efforts. He says Venmo, (an Internet payment system similar to Paypal) responded very quickly and fixed the problem by disabling SMS payments. Twitter however, took longer.

Rudenberg says he notified the company about the problem on August 12, and received a response three days later letting him know his concern had been routed to a security team. In September he was asked by the company to not publish what he'd found till they'd fixed the problem. In October, having not heard from the company he requested an update and received no response. By the end of November he'd become frustrated and sent the company a message indicating he was going to go public with the issue. Six days later he received a message from the company saying the issue had been resolved.

Explore further: WEF unveils 'crowdsourcing' push on how to run the Web

Related Stories

Twitter hack: Made in Japan?

Sep 23, 2010

(AP) -- This week's Twitter attack that caused a widespread headache for the micro-blogging service appears to have been triggered by a Japanese computer hacker who says he was only trying to help.

Twitter briefly blocked by hackers

Dec 18, 2009

(AP) -- Hackers briefly blocked access to the popular Internet messaging service Twitter, steering traffic to another Web site where a group reportedly calling itself the "Iranian Cyber Army" claimed responsibility.

Apple says it's fixed iPhone SMS vulnerability

Jul 31, 2009

(AP) -- Apple Inc. says it has fixed an iPhone vulnerability that lets hackers knock people offline - and possibly take over the phones - by sending them specially crafted text messages.

Spears, DeGeneres Twitpic accounts hacked

Jun 29, 2009

(AP) -- Hackers have broadcast bogus information about celebrities including Britney Spears and Ellen DeGeneres after breaking into their Twitpic accounts.

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Recommended for you

'SwaziLeaks' looks to shake up jet-setting monarchy

1 hour ago

As WikiLeaks founder Julian Assange prepares to end a two-year forced stay at Ecuador's London embassy, he may take comfort in knowing he inspired resistance to secrecy in places as far away as Swaziland.

Ecuador heralds 'digital currency' plans

1 hour ago

Ecuador is planning to create the world's first government-issued digital currency, which some analysts believe could be a first step toward abandoning the country's existing currency, the U.S. dollar, which ...

WEF unveils 'crowdsourcing' push on how to run the Web

15 hours ago

The World Economic Forum unveiled a project on Thursday aimed at connecting governments, businesses, academia, technicians and civil society worldwide to brainstorm the best ways to govern the Internet.

Study: Social media users shy away from opinions

Aug 26, 2014

People on Facebook and Twitter say they are less likely to share their opinions on hot-button issues, even when they are offline, according to a surprising new survey by the Pew Research Center.

US warns shops to watch for customer data hacking

Aug 23, 2014

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

User comments : 0