Two security incidents involving Twitter Inc. made the news in the past week. First, Twitter disclosed on its blog Friday that 750 users' accounts had been taken over. Though it did not say how the accounts were compromised, it warned that people should select secure passwords.
In the second incident, last week in his "Security Fix" column, Brian Krebs of The Washington Post described a security weakness in Twitter's system for letting people update their accounts by mobile phone. This "authentication weakness" could be used to post a message using someone else's account, he wrote, though it cannot be used to take over an account. The method, known as spoofing, uses a mobile phone that has been configured to identify itself with the number of a different phone when sending text instructions to Twitter, Krebs wrote; it can also work when sending text messages from a computer.
U.S. wireless carriers have technology in place to block spoofed numbers, and Twitter requires users in other countries to authenticate themselves with a PIN when making posts by text message.
However, Lance James, a security researcher, found that U.S. accounts could be accessed with spoofed phone numbers by sending instructions through one of Twitter's numbers for foreign users, Krebs wrote; U.S. users are not asked for a PIN when using the numbers for foreign users.
Biz Stone, a Twitter co-founder, corrected the issue within hours after learning of it last week, Krebs wrote. However, a March 6 update noted that it was still possible to make Twitter posts with spoofed numbers from the United Kingdom and Germany.
