Twitter Two-Factor Authentication Has a Vulnerability - UPDATEDHackers Gain Path to Potential Account Takeover by Turning Off SMS Second Factor
Update Nov. 18, 2022 1:36 UTC: Information Security Media Group has become aware that another security researcher, @BetoOnSecurity, also identified the ability to turn off Twitter SMS 2FA via a texted "STOP" command as a vulnerability, given the potential for spoofing. Our source independently identified the vulnerability. Twitter's ability to support two-factor authentication via SMS appeared to glitch the day before, generating increased interest in the mechanics of Twitter's SMS 2FA system.
Twitter in 2012 dismissed similar concerns centered on the possibility of posting false updates to another user's SMS-enabled Twitter account by writing that its shortcode service for U.S. users is "not vulnerable to SMS spoofing."
Security researchers in the U.K. in 2018 successfully spoofed updates to the accounts of British celebrities by using Twitter longcodes despite social media company having previously enabled Twitter shortcodes in the United Kingdom.
@BetoOnSecurity said in now-deleted tweets that they "reported it to Twitter's bug bounty program, THEY said they didn't consider it a security risk." @BetoOnSecurity also approached HackerOne over whether the vulnerability could be given a bounty. "The people at HackerOne I spoke to about this were gracious but denied a fix or a bounty," they tweeted.
We will update this story as needed.
Security researchers warn that multifactor authentication on Twitter contains a vulnerability allowing potential account takeover.
The vulnerability comes as Twitter enters its third week under the ownership of Elon Musk, a period during which key security and compliance staff at the company have departed, masses of employees and contractors have been laid off, and cracks have begun to show in the company's customer-facing technology (see: Twitter Ramps Up Regulatory Exposure After Loss of CISO).
A researcher contacted Information Security Media Group on condition of anonymity to reveal that texting "STOP" to the Twitter verification service results in the service turning off SMS two-factor authentication.
"Your phone has been removed and SMS 2FA has been disabled from all accounts," is the automated response.
The vulnerability, which ISMG verified, allows a hacker to spoof the registered phone number to disable two-factor authentication. That potentially exposes accounts to a password reset attack or account takeover through password stuffing. Twitter allows uses to set up multifactor authentication through other means besides SMS, including an authentication app and a security key. Twitter did not immediately respond to a request for comment; its communication team reportedly no longer exists.
"This is not a time where you want to be seen as turning features off that might prevent account takeover," said Jeremy Grant, a member of Venable's cybersecurity risk management group and an ISMG contributor.
Account security has been a sore spot for Twitter even before Elon Musk walked into the company's San Francisco headquarters late last month carrying a sink just hours ahead of completing its acquisition for $44 billion. Teen-aged hackers in 2017 took over dozens of high-profile accounts, including Musk's - as well as the accounts of Barack Obama, Kim Kardashian West and Jeff Bezos - to tweet a cryptocurrency scam.
The New York Department of Financial Services determined Twitter had weak internal security protocols and lacked a senior executive in charge of cybersecurity.
During Musk's tenure as chief executive, another problem related to account control has emerged - a spate of fake accounts posing as multinational brands that appeared genuine, thanks to the presence of a blue checkmark. Musk has asserted that the blue checkmark, which Twitter has bestowed on journalists, celebrities and brands after verifying the account holder is genuine, created a "lords & peasants system." The new social media chief executive said he would make the symbol available to anyone paying $8 a month, without verifying their identity.
Reporting by Casey Newton shows the company's trust and safety team attempted to warn Musk beforehand that $8 would not deter impersonators.
Musk proceeded anyway. During a roughly two-day period over Wednesday and Thursday, tricksters impersonated pharmaceutical company Eli Lilly by announcing that insulin would now be free, banana producer Chiquita by declaring the overthrow of the Brazilian government, and Musk-led electric car maker Tesla by extending an offer to ship 10,000 cars to support the Ukrainian military. "Our cars are the most explosive devices on the market," said the blue checkmark account @TesIaReal. Musk suspended the program on Friday.
By then, the spate of impersonations had caught the attention of Democratic U.S. Sen. Ed Markey, who wrote to Musk that his actions have "accelerated Twitter's descent into the Wild West of social media." The letter was tied to a Friday report from The Washington Post in which a reporter impersonated the Massachusetts lawmaker.
"I’m asking for answers from @elonmusk who is putting profits over people and his debt over stopping disinformation. Twitter must explain how this happened and how to prevent it from happening again," Markey tweeted.
"Perhaps it is because your real account sounds like a parody?" Musk responded.