Leo WinterNov 19, 2022
r000t

Need to get past Twitter's 2FA?

Spoof your target's phone number, and text STOP to Twitter.

EDIT: Supposedly, it's a bit harder to spoof messages to shortcodes (Like Twitter's 40404), see replies.

https://www.inforisktoday.com/twitter-two-factor-authentication-has-vulnerability-a-20475 h/t @mjg59

Twitter Two-Factor Authentication Has a Vulnerability

Twitter accounts that use SMS for two-factor authentication are at a heightened risk of account takeover with the disclosure that texting "STOP" to the

Nov 19, 2022 at 9:42amWeb
Show threadDer rote Ritter ✅Nov 19, 2022
@r000t What the actual ...?
Show threadSkyrNov 19, 2022
@r000t @mjg59 🤯😱😱😱
Show threadMatthew GarrettNov 19, 2022
@r000t I've spoken to some people with more experience of phone networks, and because short codes are only resolved inside the carrier, and because the carrier already knows who you are, spoofing numbers to them should be hard (https://blog.twitter.com/engineering/en_us/a/2012/twitter-and-sms-spoofing actually covers this from a decade ago) - so while this is surprising and there are real risks, it's not an absolute disaster
Twitter and SMS Spoofing

Twitter and SMS Spoofing

Show threadNatanael ⚠️Nov 19, 2022
@mjg59 @r000t so instead of being a carrier network level issue it's "just" a risk to SIM jacking or insider threats?
Show threadEINGFOAN  Nov 19, 2022

@r000t @mjg59 that is why I added otp

#birdsite #opsec

Show threadwebhatNov 19, 2022
@r000t @mjg59 the international numbers don't use shortcodes, I wonder if anyone has tried that
Show threadNoNov 19, 2022
@r000t @mjg59
Would assume that the "target" also get that notif? Or another outside of text. Thinking for managed accounts for orgs, paired with a targeted phish to cause mischief. Possibly not a relevant impact depending on where twitter ends up in social media/brand relevancy
Show threaddubiago Nov 19, 2022
@r000t @mjg59 Do more people use SMS than security keys or apps? Sad, of true 😔
Show threadGrumpy Grimnir Nov 19, 2022
@dubiago @r000t @mjg59 Short answer: Yes. Too many will opt for the easy option.
Show threadJesper JohanssonNov 19, 2022

@r000t @mjg59 Wonder where else this works? Lots and lots of companies use Twilio for SMS delivery and don’t have short codes. Would be interesting to try this against a few other places.

And, yes, SMS 2FA usage is probably a significant majority of all 2FA. I’ve never seen stats but I would suspect that outside of Enterprise IT systems, it’s probably north of 80%, possibly north of 90% of all 2FA. Sadly, nobody has ever figured out how to make FIDO2 actually work in real consumer scenarios and it wasn’t really even much of a consideration in the FIDO2 plenary discussions. I keep hoping that PassKey is a first step to actually making it usable by ordinary people.