Researchers find loophole in Twitter authentication process

May 30, 2013

A new authentication step introduced by Twitter last week could potentially be abused by hackers, according to new research.

Twitter introduced a new two-factor login verification process on May 22, which asks users to register a verified phone number and confirmed email address which will then be used to help authenticate users as they log in.

As part of the process, users will receive a text message on their phone to help verify their accounts, a step that's designed to make it harder for accounts to be hacked even if passwords and usernames are stolen.

However, F-Secure researchers have now pointed out that hackers can take advantage of the new two-factor authentication (2FA) procedure for their own purposes.

"If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself," researcher Sean Sullivan wrote in a company blog post published May 24.

"All that's required is a random phone number and SMS spoofing the word 'GO'."

Mr Sullivan says that attackers could use the new verification feature to actually prolong their access to Twitter accounts which have yet to enable the new security authentication feature.

If a hacker is able to steal login information, they can then use a prepaid phone number for that person's account and turn on the 2FA process.

Once this happens, the real user won't be able to gain access to their own account by doing a simple password reset and will instead have to contact customer support for further assistance.

The news highlights the importance of ensuring the vulnerability management policies in your organisation are up to date and as robust as possible.

Even with security measures like the 2FA step introduced by Twitter, cyber criminals may not be deterred.

To ensure your company's ICT networks are as protected as possible, you may wish to contact a trusted security solutions provider such as Securus Global for a thorough security audit.

Using penetration testing and other methods, Securus Global can assess the ICT security of your organisation and identify any flaws before they are exploited.

Leave a Reply

Your email address will not be published. Required fields are marked *