First ID Number Spoofing Attacks Against Popular Twitter

| | Comments (0)

Microformat Communications

In case you aren't up on all that is Web 2.0 let me explain "Twitter".

Twitter is a social networking service that allows users to send "updates" (text-based posts, called "tweets", up to 140 characters long) via SMS, instant messaging, e-mail, the Twitter website or any application built using their services.

These updates are displayed on the user's profile page and also instantly delivered to other users who have signed up to receive them. The sender can restrict delivery to members of a circle of friends, or allow delivery to everybody, which is the standard default setting.

Users can receive updates via the Twitter website, instant messaging, SMS, RSS, or through an application. For SMS, currently two gateway numbers are available: one for the USA and a UK number for international use. While the Twitter service itself is free, posting and receiving updates via SMS typically incurs a charge from the wireless carrier- watch your SMS plan carefully! Some people have gotten large bills without thinking before they realized how much volume can pass, so if you do use Twitter, or a service like Jaiku (similiar), you should probably use an all "you can eat plan" of SMS.

According to many, and I agree, Twitter is one of the first iterations of the "microblogging" or "nanoblogging" formats- a form of "micro-chunking". This is because the characters are capped to a certain number and the messages are very small. Twitter has caught on like wildfire because it is a very useful service for influence shaping, information gathering and simple communications. Services like this will change the face of the web, since it lowers the bar to communicate and express or influence opinion.

Twitter- The Cool Aspects

1) It doesn't interrupt you like Instant Messaging or VoIP- you can communicate when and where you want.

2) You can communicate from cell phone, PDA, applications, even games or "metaverses" like Second Life have Twitter Heads Up Displays.

3) Simple to use and simple to get rid of those you don't want updates from. You can keep your Twitter stream private too...meaning only "friends" can see them.

The Not So Cool Aspects of Twitter

With the good news comes some bad news. That is simply how greynets roll. I am not touching on privacy concerns, simply security concerns. They are related but different.

1) No "bullet-proof" authentication- at this time it is pretty easy to impersonate someone because of the lack of authentication. There are a number of "popular people" who are not who they say they are. I have been following a bogus "Steve Jobs" for some time now- at least I think it is a bogus Steve Jobs...I don't really know, and I have no way to make sure. Of course- this can happen with IM too. e.g. someone's account is compromised and the attacker spoofs the trusted user. This has been going on for a decade and usual cause is a weak password susceptible to brute force attacks.

2) Long web addresses, URLS, are wrapped in redirect or compression services like tinyURL- this by itself is not bad and a perfectly legitimate use- remember "Tweets", as the Twitter messages are known, are capped at 140 characters so a compression service makes sense. However, since it is a blind redirect- you don't know where you might end up. An attacker could encode a malicious site on the next hop, inject obfuscated Javascript into the header (as we saw with the World Cup case), or someone might link to a site without knowing it has been compromised or the site might later become compromised. It is not too hard to predict that we might see "Twishing", or phishing via Twitter.

3) As the service gains critical mass it will attract those who seek to exploit the service for gain, mischief or intrusion. This is unfortunate, but history teaches us this almost always happens- where there are people- there will be a few bad apples.

Thanks to the TipsDr who tipped us off to the latest, and a much more sophisticated attack using caller id number spoofing. This is rather alarming since I was looking for the first real attacks to be simple malicious URLs.


For all you people who are just crazy about Twitter, a vulnerability has been posted that will allow you to post to someone else?s twitter account. Since twitter uses caller id to authenticate users, it is very easy to post to someone else?s account since it is so easy to spoof the caller id number. Fakemytext.com is just one example of a site that will help you do just that.

Read more about the spoof here. I do agree. SMS was never designed to be used for authentication. This is like the From: address in email was never designed to be an element to authenticate against.

In short proceed with caution- just as you would any web surfing- never assume communications are 100% safe. Don't click on links and until phone spoofing is resolved, if it can be, - I would be keep your numbers close.

Enterprises will probably want to block this emerging type of greynet for intra-company use, and remain guarded if they use it as a marketing, promotional or communications hub. This is a shame since it is a very handy service that has the ability to transform how a company can communicate, but until there are better locks- or an enterprise intranet version- this is just the type of greynet that highly sophistcated users will bring in the door...because it is very useful, used by influentials and highly communicative and our research shows web traffic moving from simple HTTP to highly communicative traffic.

I imagine as the technology matures and becomes more secure we will see the enterprise adopt similiar mechanisms- perhaps replacing the "dark blog". No doubt customers will force the Enterprise to adopt these emerging microformats to some degree. Until then... Have fun communicating, but proceed with very real caution. Ensure your I.T. policies are up to date with the high velocity field of "social media"- or simply socializing around media. It is moving at an incredible velocity and shows no signs of letting up.

Leave a comment

About this Entry

This page contains a single entry by published on April 24, 2007 5:56 AM.

Beware: Phishing Attack Exploits Virginia Tech Tragedy was the previous entry in this blog.

Pictures From An Exhibition is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.