By Tyler Jang. January 8, 2019.
On December 27, the cybersecurity firm Insinia hijacked the Twitter accounts of several British journalists and tweeted, “This account has been temporarily hijacked by Insinia Security.”
Included in the tweet was a link to a Medium blog post detailing the means of the attack. Insinia hackers exploited Twitter’s SMS commands, spoofing the phone number connected to a user’s account and allowing the firm to tweet, retweet, like, and send messages without the user’s permission. The user retained primary access to the account, but Insinia could exert control over the account’s activity as long as the phone number linked to the profile remained unchanged. The logistics of the attack were quite simple, explained Insinia chief executive Mike Godfrey, noting that the attack could take an unskilled individual “within half an hour.” This attack exposed the vulnerabilities that have long been linked to Twitter’s SMS functionality and their potential implications.
On the same day, the ethical hacking firm The Antisocial Engineer used the same exploit to hijack digital magazine Computer Weekly’s Twitter account and tweet, “Thank you for allowing us to demonstrate the attack.” This attack, however, was carried out with explicit “written permission” from Computer Weekly. By contrast, the Insinia attack targeted several prominent British journalists, including Louis Theroux, Eamonn Holmes, and Simon Calder, all trusted sources of information. Insinia reportedly notified them of their susceptibility prior to the attack, but its warnings were left unheard. Godfrey views his team’s action as a message to Twitter, not the affected users, who only experienced “passive interaction.”
Some experts see Insinia’s behavior as a violation of the British Computer Misuse Act of 1990, however, which outlaws unauthorized access or modification of computer information.
Godfrey defends the attack, however, criticizing Twitter’s failure to address the vulnerability after Insinia brought it to their attention in 2007. He highlights the potential implications: bad actors could spread misinformation via the accounts of reputable journalists, liking and retweeting posts to push extremist agendas. They could even send direct messages that contain links to malicious websites, all the while disguised as known, credible contacts.
Vulnerabilities in SMS functionality have become increasingly problematic. Text messages are not encrypted by default, so even one-time passwords for two-factor authentication may be intercepted and abused. Merely having someone’s phone number opens the door for hackers to hijack their private accounts, as shown in the case of Twitter.
This entire scandal highlights the role of private security firms like Insinia and the legality of their actions. Godfrey maintains that this attack was not malicious, but rather ethical and necessary to bring the vulnerability to public attention. When considering the importance that Twitter has attained when it comes to addressing the American public, the implications of this vulnerability are immense. Just recently, White House press secretary Sarah Sanders tweeted a doctored video of Jim Acosta. A bad actor could hijack a reputable source with little difficulty, spreading misinformation of much greater consequence. Insinia’s contentious demonstration has paved the way toward constructing additional defenses against such malicious hackers. Twitter has claimed that they have resolved the issue; however, much of the SMS functionality still exists.
Tyler Jang is a first-year majoring in electrical and computer engineering and a member of the Duke Cyber Team.