A British cyber-security specialist has been condemned by fellow industry professionals after his company demonstrated weaknesses in Twitter’s security by hacking in to celebrity accounts.
The attacks on accounts owned by the documentary maker Louis Theroux and TV and radio presenter Eamonn Holmes occurred on 27 December. In the attacks, Insinia Security posted a message claiming to have taken over their accounts temporarily to "highlight an important vulnerability".
Other accounts that were attacked were journalist Simon Calder and presenter Saira Khan. Calder told the BBC that he had not authorised the attack which he described as "tedious" and "annoying".
Insinia CEO Mike Godfrey has written about the attacks and the research which led up to them in a post on Medium. He said that the demonstrations followed seven years of research and warnings about vulnerabilities in text messaging and cell networks which had largely fallen on deaf ears.
In March, Insinia were featured in a story about SMS hacking in the Telegraph in which it demonstrated the vulnerabilities by sending fake messages to the journalist’s phone – with her permission.
SMS is widely used for two-factor authentication (2FA) despite persistent warnings from security researchers that it is not secure due to SIM hijacking attacks. In the US, a cryptocurrency investor is suing telecoms provider AT&T claiming he lost £19 million after a company agent was able to gain access to his mobile phone account and intercept a 2FA message.
The attack itself was quite simple: Godfrey used mobile numbers of the celebrities, which he had obtained through various means including previous contacts with them. He then used SMS spoofing tools to send messages to Twitter purporting to be from the mobile numbers.
Twitter provides a number of legacy tools, dating from the early days of the site, that allow users to post messages and control their account via text message.
Insinia said that with this level of control, hostile actors could ruin reputations of people and organisations by posting offensive messages, send direct messages to other users which include links to phishing sites and Trojans and harass or blackmail victims.
It also claimed it would be possible to enumerate and harvest valid Twitter accounts.
Kevin Beaumont, a security researcher, criticised Insinia, saying the message was "companies can openly flout the Computer Misuse Act…"
I think the message here is UK cyber companies can openly flout the Computer Misuse Act to hack celebrities because it’s only being applied to teenagers. https://t.co/DDSOqJLG7Z— Kevin Beaumont (@GossiTheDog) December 29, 2018
Prof Alan Woodward from the computer science department at the University of Surrey said it is standard practice in situations like this to hack one’s own account.
"Interfering with many people's accounts in this way is irresponsible," Woodward said. "As frustrating as it might be for the researchers in question when Twitter maintain this functionality that can be abused, unauthorised interference with accounts is unacceptable."
A Twitter spokesperson told the Guardian that the issue had been fixed: "We’ve resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing. We’ll continue to investigate any related reports to ensure our account security protocols are functioning as expected."