December 5, 2012 report
Security researcher finds SMS vulnerability in social media sites
(Phys.org)—Jonathan Rudenberg a self described security consultant, developer and researcher has been heavily involved in stamping out an SMS messaging vulnerability he found in Facebook, Venmo and Twitter. He has been posting his efforts on his blog and says that all three companies have finally fixed the problem.
Rudenberg says the vulnerability allowed hackers to spoof messages from the services if they obtained the phone number associated with an account. Spoofing is where hackers send messages that appear to be from the true account holder – most users of email have seen examples of spoofed messages in their spam folders. He apparently became aware of the vulnerability in all three services sometime last summer and has been trying to get all three to fix the problem. Twitter was the last to do so, having only notified him that the problem had been fixed December 4.
With Twitter the problem came about when users configured their account to accept SMS messages and also didn't have a personal identification number set up for the account. To spoof a message, hackers would only need to know the phone number that had been associated with the account. Also because of the way Twitter accounts are set up, knowing the phone number would also allow hackers to change profile account information.
Rudenberg says he notified Twitter and Facebook that he had found the vulnerability last August and Venmo in November. He was only able to get through to Facebook, he says because he has a friend working with the company. Facebook let him know they'd fixed the problem in November, and Rudenberg will be receiving a bounty check from the company for his efforts. He says Venmo, (an Internet payment system similar to Paypal) responded very quickly and fixed the problem by disabling SMS payments. Twitter however, took longer.
Rudenberg says he notified the company about the problem on August 12, and received a response three days later letting him know his concern had been routed to a security team. In September he was asked by the company to not publish what he'd found till they'd fixed the problem. In October, having not heard from the company he requested an update and received no response. By the end of November he'd become frustrated and sent the company a message indicating he was going to go public with the issue. Six days later he received a message from the company saying the issue had been resolved.
© 2012 Phys.org