A security flaw on Twitter meant that a London-based cybersecurity firm was able to hijack the accounts of British celebrities, including Louis Theroux and Eamonn Holmes, and tweet on their behalf.
Insinia Security was able to post tweets on celebrity accounts without having to enter a password by using mobile phone number spoofing technology and controlling Twitter accounts via text.
Nowadays, the majority of Twitter users post updates through the platform’s apps or its website. However, it is a little-known fact that the microblogging site still allows users to tweet via SMS, as it has done since the platform’s early days.
Making use of the ‘tweet via text message’ feature and having knowledge of users’ linked phone numbers, Insinia was able to send tweets, retweet and like tweets, follow and unfollow people, and send direct messages.
Insinia has warned that the flaw could be exploited and used to ruin people’s reputations, spread fake news or offensive material, and to distribute malware. Although, Twitter claims that it has now fixed the issue.
“We’ve resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing,” a Twitter spokesperson told The Guardian. “We’ll continue to investigate any related reports to ensure our account security protocols are functioning as expected.”
However, according to a Gizmodo report, Insinia has since been able to reproduce its experiment and proved that the vulnerability is yet to actually be fixed.