Twitter temporarily disabled their ‘Tweeting via SMS,’ feature when Twitter CEO, Jack Dorsey was hacked by a group last week using this feature to send a series of racist and offensive tweets to his followers.
Dorsey’s Twitter account was compromised last week by a hacker group named “Chuckling Squad” by replicating a mobile phone number associated with the CEO account and abused this feature to post racist, offensive messages and bomb threats from it via SMS.
Sim swapping is the technique of replicating a mobile phone number associated with someone, where attackers social engineer a victim’s mobile phone provider and trick the telecom company to transfer target’s phone number to their own SIM card.
After social engineering an AT&T employee and gaining access to Dorsey’s phone number, the Chuckling Squad hackers used the ‘Tweeting via SMS’ feature to post tweets under his username, even without logging in to his account.
Twitter has a feature to post tweets from their account just by sending an SMS message to the company number from their registered mobile number associated with their Twitter account.
Earlier this feature was popularly used by Twitter users when most people depended on phones without internet connection, especially in some countries where government imposes Internet blackouts to put an end to protests and revolutions.
This feature still exists and was misused several times in the past as this does not require any authentication other than just having access to the linked phone number.
However, Twitter has now temporarily disabled this feature and is working on improving it by finding options to provide it in an authenticated way.
The company states that they are taking this act due to the vulnerabilities that need to be addressed by mobile carriers and their reliance on having a linked phone number for two-factor authentication. They also plan to reactivate this in markets that depend on SMS for reliable communication soon.