

SMS Vulnerability in Twitter, Facebook, and Venmo - Titanous
http://titanous.com/posts/twitter-facebook-venmo-sms-spoofing

======
badclient
_Right now, most people use Tent to share short 256 character long status
posts with friends. Many independent developers are building other apps that
use the Tent protocol._

The author should disclose if his start-up potentially competes with Twitter.

~~~
SoftwareMaven
I agree, but I don't think it matters too much. He has reported it
responsibly. Now, if he had come out with a "zero-day" report, then his
competing status would be highly germane.

It was probably because of this competing (experimenting with feature sets,
etc) that he found the issue in the first place.

------
adrianpike
You can spoof sender information even when you're running through a shortcode
gateway, so short of requiring some sort of authentication on every
transaction, there's no real way around this.

Just like email, you should never trust the remote identity.

~~~
darklajid
That's really the gist of this.

I still (it's 2012!) can amaze/scare/shock people by sending mails as their
so/dad/uncle/lover/boss. SMS is just the same and for just the same reasons
it's 'okay' (the usual use case is beneficial: I might want to send mail and
define the from header. I really might want to send a text message from a
website that looks like it came from my mobile, and leads replies to end up on
it).

Can we solve this at all?

------
kashiparekh
Almost two years ago:
[http://www.ahmedabadmirror.com/article/3/2010112520101125021...](http://www.ahmedabadmirror.com/article/3/20101125201011250211352165d14fe53/Who-
updated-your-Facebook-status.html)

------
sgtpepper
I thought this sounded familiar:

[http://www.oreillynet.com/onlamp/blog/2007/04/twitter_and_jo...](http://www.oreillynet.com/onlamp/blog/2007/04/twitter_and_jott_vulnerable_to.html)

[http://voices.washingtonpost.com/securityfix/2009/03/twitter...](http://voices.washingtonpost.com/securityfix/2009/03/twitter_security_h.html)

------
snoble
best and scariest quote of the post

    
    
      Twitter has a PIN code feature that requires every message to be prepended with a four-digit alphanumeric code. This feature mitigates the issue, but is not available to users inside the United States.
    

So they fixed the problem... but are withholding the fix from tons of users?

~~~
patmcguire
Or it's specific the phone technology? Maybe the European protocols have
authentication built-in.

~~~
Titanous
No, there's no phone tech going on here:
[https://support.twitter.com/groups/34-apps-sms-and-
mobile/to...](https://support.twitter.com/groups/34-apps-sms-and-
mobile/topics/153-twitter-via-sms/articles/20169928-how-to-use-pins-with-sms)

------
josh2600
You can spoof outbound numbers for voice or sms.

As I've said previously, phone number is not identity and confusing the two is
foolish.

What'sApp uses your phone number as the username and your IMEI backwards as
the password, so I'd say they're a tad more insecure than even these folks.

------
badclient
Twitter has a huge engineering department. I just don't know what they do.

