Twitter today is temporarily disabling it’s Tweeting via SMS feature, after it was abused by a hacking group to compromise the account of Twitter’s CEO, Jack Dorsey. When hacked, the account posted a series of racist and otherwise offensive tweets to Dorsey’s over 4 million followers.
Dorsey’s Twitter account was compromised by a hacker group calling themselves “Chuckling Squad” that duplicated a phone number associated with the CEO’s account and via SMS posted offensive messages and bomb threats.
The process the hackers used is called SIM swapping, using social engineering to gain the trust of a victim’s mobile phone provider. By tricking the telecom company into transferring the target’s phone number to a SIM card the hacker controls, the hackers can post messages to Twitter. It’s worth noting that all verified accounts must have a phone number associated, meaning a lot of high value accounts were by default vulnerable to this hack.
The group successfully convinced an AT&T employee to give them access to Dorsey’s phone number. After that the Chuckling Squad hackers used the ‘Tweeting via SMS’ feature to post tweets under his username, without ever logging in to his account.
Twitter in its early days started as a kind of group SMS tool. Part of the early success Twitter had was due to the ability to post a tweet simply by sending an SMS message to the company number from the number associated with a users Twitter account. The use of the feature has dwindled, since more people have smartphones, and can just post using the normal internet.
However, the feature still exists and an unused feature, that isn’t updated or monitored substantially, is a recipe for hacks. The exact SIM swapping method used to take over Dorsey’s account has been used several times in the past few months.
The Twitter account of Dan Bilzerian, a poker player, turned lifestyle-influencer-playboy-clone had his Twitter account hacked leading to similar kinds of posts to those of Dorsey in June. More recently YouTube celebrities including James Charles, Shane Dawson, and Keemstar all fell victim to haks using the SIM Swapping method.
Twitter says it has temporarily disabled this feature and is working on improving it by offering an authenticated way to tweet by SMS. For now, the feature is gone, but a Wired story on how to protect yourself from SIM Swapping is worth the read.