Both Twitter and Jott authenticate users by their phone number. Twitter does this by validating users based upon the source of SMS messages sent to the phone number 40404 (US), and Jott does this by trusting the incoming Caller ID when someone calls 877-568-848. From a security perspective this means the following:
- Anyone who knows your phone number can update your Twitter page by spoofing a SMS message, i.e. post a Twitter entry as you.
- Anyone who knows your phone number can spoof his or her caller ID to send a Jott message as you.
I tested the Twitter vulnerability by doing the following:
- I registered at fakemytext.com, a SMS spoofing service.
- Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126.
- I sent the following SMS via fakemytext.com to +44-7781-488126 with the “From” number set to my phone number: “Testing via http://www.fakemytext.com/ . This better not work!”
- I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user’s cell phone number can update that persons Twitter page.
I tested the Jott vulnerability by doing the following:
- I registered at jott.com for a free account.
- When jott.com asked me to call 1-877-568-8486 to register my phone, I called that number from a friend’s phone instead. I used spoofcard.com to initiate the call and had it spoof my cell phone number.
- Jott looked at the caller ID of the incoming call and validated me even though I was calling from another phone. This means that anyone who has a Jott user’s cell phone number can send Jott messages as that user.
At initial glance, many people are extremely cynical about the Twitter service - why would you want to keep up with mundane updates on your friends’ daily lives? Regardless, Twitter is becoming extremely becoming popular (Twittervision can keep me entertained for hours) all around the world. People are increasingly relying on the service to update themselves on current events. There has also been some discussion on extending a service like Twitter to alert a group of people about life threatening events.
I have let the folks at Twitter know about this security issue - they sent me an email few days ago to let me know they are looking into it. The solution to this is quite simple: make the user register and remember a PIN that must precede every SMS to Twitter. Because the solution comes with the expense of usability, Twitter will have to make a business decision to decide if this issue needs to be mitigated. In other words, Twitter will have to weigh the security risk of this issue against the impact to the ease of use of their service.
Since the purpose of Jott is to update people of important events, the Caller ID spoofing vulnerability issue is a must-fix in their situation. I have let Jott know of this issue as well. My proposed solution for Jott is the same: make the user register and enter the PIN when calling 1-877-568-8486 from their phone.
It’s not just Twitter and Jott who are susceptible to these issues. Unfortunately, I’ve come across cell phone companies, credit card companies, and even banks that rely on Caller ID information to authenticate their customers. Because it is so easy to spoof Caller ID, it is clear that Caller ID information should never be trusted to authenticate users, and many financial institutions have learnt this the hard way.
Given the popularity of Twitter, similar phone+IM+email mash-up services are likely to be created in the very near future. I sincerely hope these services realize the implications of authenticating users based on incoming SMS headers and Caller ID information.
Amazing exploit. You would think this would be harder.
I hope you notified twitter as a simple courtesy before posting this exploit.
@brian:
Yes I did. Quote from my post above:
Trendy Web 2.0 sites aren't the only ones using this insecure method. My newspaper uses such a system to suspend/resume delivery, and my bank uses it for ATM card activation.
You could maintain security if (a) you always have easy access to spoofing, and (b) they don't use your phone number for any other purpose. Just come up with a true secret and send the messages from that number.
I'm an engineer at Obvious and I work on Twitter.
We're working on implementing the PIN-based solution suggested in this article, and we've deployed some other protections against spoofing in the meantime. I don't think we were given nearly enough time to respond before this article was published, but that's my personal opinion and not the opinion of Obvious.
The "spoofability" of SMS and other mobile services is a problem that needs to be solved at the carrier level, not by individual applications. It doesn't take a genius to see that if every SMS-based application out there is vulnerable to spoofing, it's probably a protocol-level flaw. Applications like Twitter can put a band-aid on this flaw, but it's not the right architectural solution.
That said, doing the research involved to make a security recommendation to the mobile carriers would have taken real effort on the part of the author. Why bother when cheap hacks like this are easy and fun?
When I informed Biz and help@twitter.com, I was absolutely clear in stating my responsible disclosure policy: http://www.wiretrip.net/rfp/policy.html
SMS was never designed to be used for authentication, just as the From: address in a email was never designed to be something to authenticate against.That is like saying: the folks who designed the SMTP protocol should go back and change the RFC to accommodate applications that are poorly designed such that they trust the "From" header.
And I thought the folks at Twitter would owe me gratitude for pointing this out to them and explaining the exact steps on how it can be abused. With this sort of an attitude, security researchers will be more inclined to publish the issues without even informing you.