Both Twitter and Jott authenticate users by their phone number. Twitter does this by validating users based upon the source of SMS messages sent to the phone number 40404 (US), and Jott does this by trusting the incoming Caller ID when someone calls 877-568-848. From a security perspective this means the following:
- Anyone who knows your phone number can update your Twitter page by spoofing a SMS message, i.e. post a Twitter entry as you.
- Anyone who knows your phone number can spoof his or her caller ID to send a Jott message as you.
I tested the Twitter vulnerability by doing the following:
- I registered at fakemytext.com, a SMS spoofing service.
- Since the fakemytext.com service is based in the UK, I went through the Twitter FAQ and noted their UK based SMS number: +44-7781-488126.
- I sent the following SMS via fakemytext.com to +44-7781-488126 with the "From" number set to my phone number: "Testing via http://www.fakemytext.com/ . This better not work!"
- I checked my Twitter page, and sure enough, it was updated with the above SMS message. This means that anyone who knows a Twitter user's cell phone number can update that persons Twitter page.
I tested the Jott vulnerability by doing the following:
- I registered at jott.com for a free account.
- When jott.com asked me to call 1-877-568-8486 to register my phone, I called that number from a friend's phone instead. I used spoofcard.com to initiate the call and had it spoof my cell phone number.
- Jott looked at the caller ID of the incoming call and validated me even though I was calling from another phone. This means that anyone who has a Jott user's cell phone number can send Jott messages as that user.
At initial glance, many people are extremely cynical about the Twitter service - why would you want to keep up with mundane updates on your friends' daily lives? Regardless, Twitter is becoming extremely becoming popular (Twittervision can keep me entertained for hours) all around the world. People are increasingly relying on the service to update themselves on current events. There has also been some discussion on extending a service like Twitter to alert a group of people about life threatening events.
I have let the folks at Twitter know about this security issue - they sent me an email few days ago to let me know they are looking into it. The solution to this is quite simple: make the user register and remember a PIN that must precede every SMS to Twitter. Because the solution comes with the expense of usability, Twitter will have to make a business decision to decide if this issue needs to be mitigated. In other words, Twitter will have to weigh the security risk of this issue against the impact to the ease of use of their service.
Since the purpose of Jott is to update people of important events, the Caller ID spoofing vulnerability issue is a must-fix in their situation. I have let Jott know of this issue as well. My proposed solution for Jott is the same: make the user register and enter the PIN when calling 1-877-568-8486 from their phone.
It's not just Twitter and Jott who are susceptible to these issues. Unfortunately, I've come across cell phone companies, credit card companies, and even banks that rely on Caller ID information to authenticate their customers. Because it is so easy to spoof Caller ID, it is clear that Caller ID information should never be trusted to authenticate users, and many financial institutions have learnt this the hard way.
Given the popularity of Twitter, similar phone+IM+email mash-up services are likely to be created in the very near future. I sincerely hope these services realize the implications of authenticating users based on incoming SMS headers and Caller ID information.
