Researchers from Insinia Security, a London-based company, recently hacked into celebrity Twitter accounts to prove a very valuable point: the social media giant never closed security holes that date back to an older way of tweeting.
Before the widespread use of smartphones and the accompanying Twitter app, users of the social media platform could post tweets by sending them over simple SMS texts. The Twitter account would be associated with a user’s phone number. The security researchers were able to hack into this exclusive association by spoofing phone numbers. This trick enabled them to send texts from the spoofed numbers that then posted directly to accounts of celebrities and journalists, including broadcaster Eamonn Holmes and filmmaker Louis Theroux.
Certain online apps enable users to spoof phone numbers by making it appear as if a user is sending a message or calling from a number completely different from the one actually associated with the phone they are using. The hackers were able to uncover the phone numbers that certain celebrities had connected to their Twitter accounts and use spoofing apps in this way. While the researchers notified the celebrities that they were hacking their accounts for this experiment, they did not ask for the consent of the targeted celebrities.
Although Twitter has worked to eliminate as many security threats as possible, as proven by the company taking down 70 million bot accounts since May, the social media giant reportedly did not succeed in correcting this system flaw.
A Twitter spokesperson made an announcement on Dec. 28 that it had fixed the error after the researchers brought it to the company’s attention. However, the researchers reportedly recreated the experiment with success just after Twitter made that statement.
In that statement, the Twitter spokesperson also added that its experts do not believe that there is a significant risk to account holders based in the United States. According to Gizmodo, this difference in risk is due to which number the hackers send their tweet-texts. Users with United Kingdom numbers send texts to what is known as a longcode, which looks like a normal phone number. Users with U.S. phone numbers send their messages to a shortcode, a phone number that is usually three to five digits long.
The U.K. did enable several Twitter shortcodes at some point, making it unclear why the longcode the hackers used still works. While Twitter investigates that mystery, Insina is currently looking into if there is a method for hacking accounts that need to receive text commands with a shortcode.