Louis Theroux and Eamonn Holmes are among celebrities whose Twitter accounts were compromised after a security company was able to post tweets on their behalf without entering a password.
He was able to post tweets on the accounts of celebrities using mobile phone spoofing technology, in an attempt to highlight a security flaw in the social network’s systems.
“We’ve been warning about this for years,” he said, adding that people could abuse the feature to spread disinformation and ruin the reputations of prominent individuals.
All that is required to post tweets on someone else’s behalf is knowledge of a user’s mobile phone number and some easily obtainable technology. Godfrey had access to the numbers of several celebrities and journalists as a result of previous appearances in the media to discuss cybersecurity issues.
“We disclosed this to everyone before we did the attack,” he said. “I wouldn’t say they agreed to it, but we informed them that they were susceptible to it. We told Louis Theroux two months ago.”
Although most users post Twitter updates through its website or mobile app, the social network has always allowed people to send updates via text message.
But this feature also lets anyone with the ability to spoof a mobile number send messages that appear to be from a legitimate number.
Through this method, Insinia had the ability to post tweets and send direct messages from Theroux’s account using text message commands, without having to enter a password. The method does not allow individuals to read private messages.
“We’ve not had access to their Twitter account, there’s been no data breach element,” said Godfrey, adding that all he posted was a tweet linking to an explanation of the security flaw, in an attempt to raise awareness of the issue and encourage Twitter to close the loophole.
“Is it malicious? We don’t think so. Is it ethical? We think so. They might feel slightly violated, but we made it clear from the beginning that this is not malicious,” he said.
Godfrey said text messaging is not secure and should not be used to verify someone’s identity.
“We should not be using 50-year old technology. It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes,” he said.
The Guardian Tech RSS