Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
SMS Vulnerability in Twitter, Facebook, and Venmo (titanous.com)
42 points by Titanous on Dec 3, 2012 | hide | past | favorite | 11 comments


Right now, most people use Tent to share short 256 character long status posts with friends. Many independent developers are building other apps that use the Tent protocol.

The author should disclose if his start-up potentially competes with Twitter.


I agree, but I don't think it matters too much. He has reported it responsibly. Now, if he had come out with a "zero-day" report, then his competing status would be highly germane.

It was probably because of this competing (experimenting with feature sets, etc) that he found the issue in the first place.


You can spoof sender information even when you're running through a shortcode gateway, so short of requiring some sort of authentication on every transaction, there's no real way around this.

Just like email, you should never trust the remote identity.


That's really the gist of this.

I still (it's 2012!) can amaze/scare/shock people by sending mails as their so/dad/uncle/lover/boss. SMS is just the same and for just the same reasons it's 'okay' (the usual use case is beneficial: I might want to send mail and define the from header. I really might want to send a text message from a website that looks like it came from my mobile, and leads replies to end up on it).

Can we solve this at all?




best and scariest quote of the post

  Twitter has a PIN code feature that requires every message to be prepended with a four-digit alphanumeric code. This feature mitigates the issue, but is not available to users inside the United States.
So they fixed the problem... but are withholding the fix from tons of users?


Or it's specific the phone technology? Maybe the European protocols have authentication built-in.



You can spoof outbound numbers for voice or sms.

As I've said previously, phone number is not identity and confusing the two is foolish.

What'sApp uses your phone number as the username and your IMEI backwards as the password, so I'd say they're a tad more insecure than even these folks.


Twitter has a huge engineering department. I just don't know what they do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: