‘We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication,’ Twitter says.
Twitter is temporarily shutting off the “Tweet via SMS” message feature after hackers likely abused it to hijack CEO Jack Dorsey’s account.
Last Friday, hackers briefly took over the @jack account by tricking Dorsey’s cellular carrier into handing over his mobile phone number.
So far, Twitter hasn’t provided all the details about the break-in. However, getting Dorsey’s phone number wouldn’t be enough to hijack his account. It’d also require inputting the correct password. But the hackers appear to have found a way around this obstacle by exploiting the Tweet via SMS feature.
To tweet via SMS, all you have to do is register your mobile phone number with your Twitter account. Then from your smartphone, you can send an SMS message to a special “short code” number (in the US, it’s 40404). In response, Twitter will match the SMS message to your account, and automatically post it as a tweet.
The problem occurs if your mobile phone number falls into the wrong hands. Twitter has no idea of knowing that your phone number has been transferred to a hacker. The company’s Tweet via SMS feature simply assumes the original owner is control of the number with no safeguard to detect a potential hijacking.
Complicating the matter is how many security-conscious Twitter users register their phone numbers with their accounts to activate two-factor authentication, which ironically is designed to stop account break-ins.
“We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication,” Twitter said on Wednesday. “We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-term strategy for this feature.”
The company announced the change hours after actress Chloe Grace Moretz also suffered a Twitter account hijack. The attackers appear to be the same group that took over Dorsey’s account, and go by the name “Chuckling Squad.” They’ve previously claimed to have hijacked several other online accounts belonging YouTube influencers and celebrities.