STOP: Twitter two-factor verification can be hacked in less than 140 characters
Fans of social media were reassured this week as Twitter finally rolled out two-step verification, ostensibly making the service more secure for its millions of customers. This is a feature that other major companies like Microsoft, Google, and Facebook have already implemented and, on the surface, seemed a victory.
Not so fast. Security researchers at F-Secure are taking a closer look and deem the implementation "not great". The problem, according to Sean Sullivan, is that "an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number".
"The STOP command removes the phone number from the account -- and that in turn disables Twitter's 2FA", says Sullivan, who did extensive testing on this.
The problem is this: Twitter uses SMS as a way to send and receive Tweets. The social network also makes use of SMS for its new authentication service. However, in a statement BetaNews received from Mr. Sullivan, it is pointed out that "Microsoft uses SMS for 2FA, but Twitter is trying to have its cake and eat it too: social security. Twitter added 2FA SMS, but *didn't* adjust how it uses SMS for Tweeting".
Sullivan went on to also point out that "Facebook confirms with a code when you add a phone and it shifted focus from posting status messages via SMS a few years ago". He wraps up his statement by explaining "Microsoft, Google, and Facebook all have account recovery processes. Twitter has just a password reset page. Nothing else. No security words. Nothing".
Twitter, in the course of its announcement, points out this feature is a means of paving the way for future security enhancements. Perhaps those will be better implemented than what has rolled out this week.