Jonathan Rudenberg, the security consultant and researcher behind the disclosure, has revealed through a post on his website that attackers would only need to know their victims’ phone numbers in order to post tweets. Attackers can also spoof the source number before messages are sent to Twitter.
The researcher has revealed that the vulnerability affects those users who have mobile number associated with their Twitter accounts without PIN codes. Rudenberg has noted that attacker can use all the SMS commands on Twitter including posting tweets and profile modification. “All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info.”
Facebook and Venmo were also vulnerable to the same flaw but, they have resolved or mitigated the vulnerability notes the researcher. Twitter however has failed to patch the vulnerability even though Rudenberg informed the microblogging giant about the vulnerability on August 17.
It is advisable that those who are using this tweet-by-SMS feature either use PIN codes – which again is available only in the US or disable the feature altogether.