Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Social Networks Twitter IT Technology

Twitter Disables SMS-to-Tweet Feature After Its CEO Got Hacked Last Week (zdnet.com) 20

Twitter is disabling the ability to send tweets via SMS messages after an incident last week when the company's CEO Twitter account got hacked via this feature. From a report: The social network said the move is only temporary, but did not provide a timeline for the feature's reactivation. Twitter blamed the whole issue on mobile networks and "vulnerabilities that need to be addressed by mobile carriers."
This discussion has been archived. No new comments can be posted.

Twitter Disables SMS-to-Tweet Feature After Its CEO Got Hacked Last Week

Comments Filter:
  • by JThundley ( 631154 ) on Thursday September 05, 2019 @06:10PM (#59163650)

    Yes the mobile networks have vulnerabilities, but it was your dumb ass that treated them as secure in the first place.

    • I'm not so sure it was an accident. This seems like a good way to try to force the mobile carriers' hands by making it a conspicuous public issue that wealthy megacorp owners are likely to sympathize with.

    • by AHuxley ( 892839 )
      If mobile networks where secure, the NSA and GCHQ would not be happy.
      Yet big tech trusted wide open mobile networks?
    • by tlhIngan ( 30335 )

      Yes the mobile networks have vulnerabilities, but it was your dumb ass that treated them as secure in the first place.

      Except it wasn't. It was done by breaching the mobile gateway service they used, not the mobile network itself (i.e., they didn't clone a SIM card or hack SS7 or anything like that).

      Instead, they breached the service that was handling the SMS to twitter interface and did things that way.

      Mobile networks are insecure, yes, but it wasn't that insecurity that was the problem. It was the gateway

    • Comment removed based on user account deletion
  • they need to sort out their network security

    No DNSSEC so many countries and ISP's intercept their network traffic and place a TLS tap (MITM)
    No TLS security by allowing client side TLS renegotiation again aiding the interception and no way to force TLS 1.3
    No DANE for their email (even though their email platform can support this)

    time to get on it twitter engineering before the advertisers realise that traffic can be faked and intercepted

     

    • by DrYak ( 748999 ) on Thursday September 05, 2019 @07:01PM (#59163780) Homepage

      note that as Twitter is a network whose main purpose is to shout as widely as possible your opinions,
      the *faked* part is much more critical (somebody trying to pretend being you, in order to shout things in your name) than the *intercepted* part (nothing impressive in trying to steal information that is going to be made widely public anyway. It would be like a spy trying to bug... somebody shouting in a megaphone)

    • by AHuxley ( 892839 )
      Then the police would not get free access :)
    • by mwvdlee ( 775178 )

      Allowing countries to do MITM attacks might actually be a feature for Twitter, as it allows them to continue operating in those countries as opposed to being banned.

      • Having everything explicitly banned is better than the illusion of freedom we currently tolerate.

        I have a real problem with American business that operate on a completely different set of principles than the American people. Not that We the People are not without our faults, we do have this weird assumption of individual expression being an inalienable right.

  • Ya know ... (Score:4, Insightful)

    by fahrbot-bot ( 874524 ) on Thursday September 05, 2019 @06:21PM (#59163678)
    ... everyone freaked out when Dorsey's account got "hacked" but, seriously, he's the CEO of Twitter, not some security god/wizard. His account, and apparently phone, doesn't have any special protections simply because of his position.
    • by Hadlock ( 143607 )

      It's sort of the security team's job to keep track of high profile accounts and secure them accordingly. It's not priority #1 but something like priority 3b. Lack of ability to keep tabs on 3b is indicative of lack of ability to do anything other than keep tabs on priority #1. This kind of blind spot would indicate that either somebody is sleeping on the job or there are many more unknown unknowns out there than previously thought. I would not want to be the Twitter CSO right now.

      • by reanjr ( 588767 )

        More likely the security team brought this up. But Twitter decided tweeting via SMS is more important than security.

        • by flink ( 18449 )

          More likely the security team brought this up. But Twitter decided tweeting via SMS is more important than security.

          Being able to update a micro blog via SMS without access to the internet was Twitter's whole point originally. Turning SMS off globally seems like overkill. For most accounts, it's not worth the effort to clone their phone in order to impersonate them. They'd be better off adding the ability to disable less secure posting methods on a per-account basis makes more sense for high profile accounts.

    • We treat phone numbers like they are the end all in password verification, but hackers demonstrated on 60 minutes that they can access everything about your phone thanks to holes in mobile networks, and they don't even need your phone. All they need is your phone number and hey can do whatever they want from anywhere in the world.
  • by ewhac ( 5844 ) on Thursday September 05, 2019 @06:38PM (#59163718) Homepage Journal
    Am I the only person who seems to remember that Twitter started life as an SMS repeater/broadcaster? That the way you used Twitter was by sending and receiving SMS messages on your feature phone? It's the whole reason tweets were limited to 140 characters, because that's the max size of an SMS message.
    • by EvilSS ( 557649 )

      Am I the only person who seems to remember that Twitter started life as an SMS repeater/broadcaster?

      Yes, in all the world you are the only one to remember that.

    • by SeaFox ( 739806 )

      No. I remember it, too. Twitter was like a brand-new thing and debuting at some tech conference, and that was literally how everyone was using it at the time.

  • Twitter was a key part of my emergency communication plan for Hurricane Dorian; I had planned to rely on it to to reach people in case the web (mobile and wired) became unusable for some reason, including congestion during an emergency. SMS will generally get through even if data connectivity is broken, and with a single SMS I could broadcast my status to people who needed to see it, just by issuing a tweet. This worked without my people needing to create accounts or register anywhere, as they could just vi

  • Caller ID (Score:5, Interesting)

    by geekymachoman ( 1261484 ) on Friday September 06, 2019 @04:50AM (#59164618)
    So what happened ? Somebody found out Jack Dorsey personal phone number, and spoofed caller id to be that number ?

    Is that how Twitter "validates" origin ?

    Regardless what happened. Twitter "security" team are fools. How many times did this happen now ? 4 ?

    You would think that with that much money can buy you at least decent security team...or I don't know.. steal couple guys from facebook.

No spitting on the Bus! Thank you, The Mgt.

Working...