Security researcher finds SMS vulnerability in social media sites

Dec 05, 2012 by Bob Yirka report
Security researcher finds SMS vulnerability in social media sites Enlarge

(Phys.org)—Jonathan Rudenberg a self described security consultant, developer and researcher has been heavily involved in stamping out an SMS messaging vulnerability he found in Facebook, Venmo and Twitter. He has been posting his efforts on his blog and says that all three companies have finally fixed the problem.

Rudenberg says the allowed to spoof messages from the services if they obtained the associated with an account. is where hackers send messages that appear to be from the true account holder – most users of have seen examples of spoofed messages in their spam folders. He apparently became aware of the vulnerability in all three services sometime last summer and has been trying to get all three to fix the problem. was the last to do so, having only notified him that the problem had been fixed December 4.

With Twitter the problem came about when users configured their account to accept SMS messages and also didn't have a set up for the account. To spoof a message, hackers would only need to know the phone number that had been associated with the account. Also because of the way Twitter accounts are set up, knowing the phone number would also allow hackers to change profile account information.

Rudenberg says he notified Twitter and Facebook that he had found the vulnerability last August and Venmo in November. He was only able to get through to Facebook, he says because he has a friend working with the company. Facebook let him know they'd fixed the problem in November, and Rudenberg will be receiving a bounty check from the company for his efforts. He says Venmo, (an Internet payment system similar to Paypal) responded very quickly and fixed the problem by disabling SMS payments. Twitter however, took longer.

Rudenberg says he notified the company about the problem on August 12, and received a response three days later letting him know his concern had been routed to a security team. In September he was asked by the company to not publish what he'd found till they'd fixed the problem. In October, having not heard from the company he requested an update and received no response. By the end of November he'd become frustrated and sent the company a message indicating he was going to go public with the issue. Six days later he received a message from the company saying the issue had been resolved.

Explore further: Twitter 'unintentionally' resets people's passwords

add to favorites email to friend print save as pdf podcast

Related Stories

Twitter hack: Made in Japan?

Sep 23, 2010

(AP) -- This week's Twitter attack that caused a widespread headache for the micro-blogging service appears to have been triggered by a Japanese computer hacker who says he was only trying to help.

Twitter briefly blocked by hackers

Dec 18, 2009

(AP) -- Hackers briefly blocked access to the popular Internet messaging service Twitter, steering traffic to another Web site where a group reportedly calling itself the "Iranian Cyber Army" claimed responsibility.

Apple says it's fixed iPhone SMS vulnerability

Jul 31, 2009

(AP) -- Apple Inc. says it has fixed an iPhone vulnerability that lets hackers knock people offline - and possibly take over the phones - by sending them specially crafted text messages.

Spears, DeGeneres Twitpic accounts hacked

Jun 29, 2009

(AP) -- Hackers have broadcast bogus information about celebrities including Britney Spears and Ellen DeGeneres after breaking into their Twitpic accounts.

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Recommended for you

Facebook joins Web freedom group

7 hours ago

Facebook on Wednesday became a full member of the Global Network Initiative, a non-governmental organization promoting Internet freedom and privacy rights.

Big Data—for better or worse

12 hours ago

A full 90% of all the data in the world has been generated over the last two years. The internet companies are awash with data that can be grouped and utilised. Is this a good thing?

Risky behaviour starts young on social media: survey

13 hours ago

Australian children are accessing social media websites at an increasingly younger age, a new survey suggests, with one in five "tweens" admitting they have chatted to someone online they do not know.

Poll: Teens migrating to Twitter (Update)

May 21, 2013

Twitter is booming as a social media destination for teenagers who complain about too many adults and too much drama on Facebook, according to a new study published Tuesday about online behavior. It said ...

User comments : 0

More news stories

NASA: Austin, calling Austin. 3-D pizzas to go

(Phys.org) —The idea of living with 3-D printed food is neither unthinkable nor new; designers and futurists have been looking to 3-D printing as food's next frontier. In 2012, there was news that the Thiel ...

Forecast for Titan: Wild weather could be ahead

(Phys.org) —Saturn's moon Titan might be in for some wild weather as it heads into its spring and summer, if two new models are correct. Scientists think that as the seasons change in Titan's northern hemisphere, ...