If you use Twitter and have a mobile phone, hackers may be able to tweet whatever they want from your account. That exact thing happened to Twitter CEO Jack Dorsey this week. It happened because of a vulnerability that Twitter should have blocked years ago.
For about 20 minutes yesterday, @jack, Dorsey's Twitter account, tweeted racist and antisemitic slurs and a bomb threat to its 4.2 million followers. The tweets appeared to be the work of a hacking group called the Chuckle Squad that has also hacked some prominent YouTube accounts. The tweets were quickly removed, and @TwitterComms, Twitter's communications account, responded immediately.
We're aware that @jack was compromised and investigating what happened.-- Twitter Comms (@TwitterComms) August 30, 2019
Less than two hours later, @TwitterComms said the issue was solved.
The account is now secure, and there is no indication that Twitter's systems have been compromised.-- Twitter Comms (@TwitterComms) August 30, 2019
Three hours after that, @TwitterComms felt ready to point the the finger at Dorsey's mobile phone carrier as the source of the problem.
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.-- Twitter Comms (@TwitterComms) August 31, 2019
Well, sort of. The issue may be resolved for @jack, but it's not resolved for the rest of us. Pretty much every Twitter user with a mobile phone could possibly have the same thing happen.
At issue is a company called Cloudhopper that Twitter acquired in 2010. With Cloudhopper, Twitter is able to offer a nifty little service: Text a message to 40404 from a mobile number associated with your Twitter account, and that message appears as a tweet from your Twitter handle. There's no need to sign in with a password. These days, not too many people likely need or use that SMS-to-tweet capability, but it still works, as tested by a CNN reporter. I found it works for me too.
Look ma not logged in-- kevin collier (@kevinco99119564) August 30, 2019
The problem with this is that mobile phone numbers aren't as secure as they were, or at least seemed to be, nine years ago. These days, phone number can be and are spoofed--imitated over the internet--or stolen through something called SIM swapping. SIM swapping consists of convincing a mobile carrier that you have a new phone or SIM card and need to port your mobile number over, and as hacking goes, it's relatively simple to do.
Most anyone who has a Twitter account and a mobile phone is vulnerable to the same tactic--because Twitter strongly encourages its users to associate their mobile phones with their Twitter accounts. Ironically, the top reason Twitter says you should do this is "Keeping your account secure." The primary tool for this is two-factor authentication, which Twitter calls "login verification." It's a now-familiar idea: When you sign into Twitter--after you enter your password--it will text you a six-digit number that you must also enter to prove it's really you.
Two-factor authentication is a great idea and it does indeed make things more secure, but as the term suggests, people should need two--not one--factor to gain access to an account. Allowing people to post tweets simply by texting from a particular mobile number, without requiring them to also enter a password, means not only can SIM-swapping hackers tweet from your account, so can anyone who steals your phone, or even picks it up for a moment while you're not looking.
Given the obvious hacking risk, you might think Twitter would offer SMS-to-tweet as an option that users could select, making sure they understand the tradeoffs. Or at least offer some means of opting out of it. But no--if you have a phone number associated with your account, then SMS-to-tweet works from your phone whether you want it to or not. As Twitter's SMS FAQ page explains, "When you send a text message from your phone to your Twitter code, it will always post as a Tweet to your profile." Just to be clear, "your Twitter code" means 40404.
It's a horrendous and inexcusable security flaw, and there's not much Twitter users can do about it. You could try adding a PIN code to your mobile carrier account--which is a good idea in any case because getting SIM swapped is undesirable for many reasons other than Twitter--but not all carriers allow for this. You could try setting up a dummy number to use with your Twitter account, via Google Voice, for example, but it might still be vulnerable to spoofing.
And really, it's not up to you to close this loophole. Twitter should have done it long ago. Why would the company ever allow anyone to tweet without a password? And why is it still allowing it after Dorsey's account was hacked? I just can't think of a good answer to either question.
I've reached out to Twitter representative for comment. If they respond, I'll update this piece.