Twitter today finally decided to temporarily disable a feature, called ‘Tweeting via SMS,’ after it was abused by a hacking group to compromise Twitter CEO Jack Dorsey last week and sent a series of racist and offensive tweets to Dorsey’s followers.
Dorsey’s Twitter account was compromised last week when a hacker group calling itself “Chuckling Squad” replicated a mobile phone number associated with the CEO account and abused this particular feature to post racist, offensive messages and bomb threats from it via SMS.
Replicating a mobile phone number associated with someone else is a technique known as “SIM swapping,” where attackers social engineer a victim’s mobile phone provider and trick the telecom company to transfer target’s phone number to their own SIM card.
Once they social engineered an AT&T employee and gained access to Dorsey’s phone number, the Chuckling Squad hackers used the ‘Tweeting via SMS’ feature to post tweets under his username, even without actually logging in to his account.
For those unaware, Twitter has a feature that gives its users the ability to post a tweet from their account just by sending an SMS message to the company number from their registered mobile number associated with their Twitter account.
Twitter CEO Jack Dorsey’s Twitter Account Got Compromised!
Twitter says the phone number associated with the account was compromised due to a security oversight by the mobile provider, allowing an unauthorized person to compose and send tweets via text message from the phone number pic.twitter.com/TmL2LufZyV
— The Hacker News (@TheHackersNews) August 31, 2019
This feature was once the most popular way to use Twitter in its early days when most people relied on phones with no internet connection, especially when in some countries government imposes Internet blackouts to quell protests and revolutions.
However, the feature still exists and has been misused several times in the past since no authentication is required other than just having access to the linked phone number.
In a series of tweets published today, Twitter says it has temporarily disabled this feature and working on improving it by exploring options to offer an authenticated way.
“We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this),” the company said.
“We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-term strategy for this feature.”
However, the company has not provided any timeline of the reactivation of this feature.
Dorsey is not the only person falling victim to SIM swapping attack in recent days. Other victims whose accounts have recently been compromised by Chuckling Squad include actress Chloë Grace Moretz and a number of social media influencers with large followers.