Security researcher finds SMS vulnerability in social media sites

Dec 05, 2012 by Bob Yirka report

(Phys.org)—Jonathan Rudenberg a self described security consultant, developer and researcher has been heavily involved in stamping out an SMS messaging vulnerability he found in Facebook, Venmo and Twitter. He has been posting his efforts on his blog and says that all three companies have finally fixed the problem.

Rudenberg says the allowed to spoof messages from the services if they obtained the associated with an account. is where hackers send messages that appear to be from the true account holder – most users of have seen examples of spoofed messages in their spam folders. He apparently became aware of the vulnerability in all three services sometime last summer and has been trying to get all three to fix the problem. was the last to do so, having only notified him that the problem had been fixed December 4.

With Twitter the problem came about when users configured their account to accept SMS messages and also didn't have a set up for the account. To spoof a message, hackers would only need to know the phone number that had been associated with the account. Also because of the way Twitter accounts are set up, knowing the phone number would also allow hackers to change profile account information.

Rudenberg says he notified Twitter and Facebook that he had found the vulnerability last August and Venmo in November. He was only able to get through to Facebook, he says because he has a friend working with the company. Facebook let him know they'd fixed the problem in November, and Rudenberg will be receiving a bounty check from the company for his efforts. He says Venmo, (an Internet payment system similar to Paypal) responded very quickly and fixed the problem by disabling SMS payments. Twitter however, took longer.

Rudenberg says he notified the company about the problem on August 12, and received a response three days later letting him know his concern had been routed to a security team. In September he was asked by the company to not publish what he'd found till they'd fixed the problem. In October, having not heard from the company he requested an update and received no response. By the end of November he'd become frustrated and sent the company a message indicating he was going to go public with the issue. Six days later he received a message from the company saying the issue had been resolved.

Explore further: Britain's UKIP issues online rules after gaffes

Related Stories

Twitter hack: Made in Japan?

Sep 23, 2010

(AP) -- This week's Twitter attack that caused a widespread headache for the micro-blogging service appears to have been triggered by a Japanese computer hacker who says he was only trying to help.

Twitter briefly blocked by hackers

Dec 18, 2009

(AP) -- Hackers briefly blocked access to the popular Internet messaging service Twitter, steering traffic to another Web site where a group reportedly calling itself the "Iranian Cyber Army" claimed responsibility.

Apple says it's fixed iPhone SMS vulnerability

Jul 31, 2009

(AP) -- Apple Inc. says it has fixed an iPhone vulnerability that lets hackers knock people offline - and possibly take over the phones - by sending them specially crafted text messages.

Spears, DeGeneres Twitpic accounts hacked

Jun 29, 2009

(AP) -- Hackers have broadcast bogus information about celebrities including Britney Spears and Ellen DeGeneres after breaking into their Twitpic accounts.

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Recommended for you

Britain's UKIP issues online rules after gaffes

5 hours ago

UK Independence Party (UKIP), the British anti-European Union party, has ordered a crackdown on the use of social media by supporters and members following a series of controversies.

Sony saga blends foreign intrigue, star wattage

6 hours ago

The hackers who hit Sony Pictures Entertainment days before Thanksgiving crippled the network, stole gigabytes of data and spilled into public view unreleased films and reams of private and sometimes embarrassing ...

Digital dilemma: How will US respond to Sony hack?

Dec 18, 2014

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.