NEWS FROM THE LAB - Friday, May 24, 2013

Twitter's 2FA: SMS Double-Duty Posted by Sean @ 12:40 GMT

Twitter introduced multi-factor login verification on Wednesday. Good news? Well… that depends.

Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.

But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.

Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.

Twitter's SMS 2FA

We've done some testing.

The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.

Not great.

But there's an even worse possibility at the moment.

If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!

All that's required is random phone number and SMS spoofing the word "GO".

Twitter's SMS 2FA

Then the attacker can enable the account's 2FA.

Twitter's SMS 2FA

Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)

Twitter's SMS 2FA

And then click "Yes".

Twitter's SMS 2FA

That's it.

No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)

This is what the victim will see — even if they reset the account's password.

Twitter's SMS 2FA

The victim will be locked out, and cannot recover the account without Twitter's support.

So… perhaps you should enable your account's 2FA — before somebody else does it for you.

Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.

Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."

Let's hope so.

Updated to add: some good news (maybe).

According to this December 2012 article by Lucian Constantin, Twitter's back end doesn't allow commands to be sent via long code if the phone number's operator is known to Twitter and provides short code support. And it shouldn't be possible to spoof the origin number to a short code.

So it shouldn't be possible to issue the "STOP" command to your phone, if your operator supports Twitter's short code. However, it is still quite possible for an attacker to add his phone to your account if it's compromised via phishing.

Twitter's 2FA doesn't require multi-factor confirmation to enable. Anybody with the password can easily add a phone number.