An online security hacking agency has “hijacked “multiple Twitter accounts in an attempt to comment on online security problems.
On Thursday the message: “This account was temporarily hijacked by Insinia Security, “a” number of celebrities “including Eamonn Holmes and Louis Theroux was posted on Twitter. The tweet also appeared on The Independent’s travel correspondent Simon Calder’s Twitter feed.
This account is now under the control of @InsiniaSRT. Luckily, this has been H4CK3D to highlight an important vulnerability. The user of this account has NOT lost access to it, no data compromised and is NOT under attack. See how it was done… https://t.co/RL7RscRxjH
— INSINIA SECURITY (@insiniasec) December 27, 2018
According to a post from Insinia Security on Medium, which explains the hijacking, the security hazards associated with a Twitter account were highlighted.
Mike Godfrey, CEO of Insinia Security, confirmed the reason behind the hacking to The Independent, explaining: ” For years, Insinia has warned that using text messaging for authentication, interaction or security is totally unacceptable and makes people vulnerable to attack. Read more US charges against two Chinese citizens who hack trade secrets.
“This issue was raised on Twitter in 2007, again in 2009, again in 2011 and almost every year since then. Quite simply; not listening to Twitter. Today’s campaign was to highlight these vulnerabilities, how serious they can be and how people with relatively low skills and a variety of tools can control social media that people use to control their brands, their careers, their images and more. People have a right to know the truth about the state of insecurity that large companies like Twitter leave innocent users in.
“And, according to Godfrey, it was easy to hijack the accounts-” In this case, it was a simple task to ‘ spoof’ the Twitter users MSISDN (mobile phone number) and to send texts that appeared to be from their phone to Twitter, which will automatically accept commands. Although Godfrey did not reveal “how these numbers were obtained,” he said that the whole attack “was less than 10 minutes to complete.” In the medium, the depth of the hijacking was further explained-and the dangers posed by this lack of safety.
“We used this method to control the Twitter account targets successfully, allowing us to send DMs, retweet and tweets, follow and unfold people and much more, “reads the post. According to Insinia Security, this security defect could lead to the spread of offensive or extremist material and to the spread of false news.
Godfrey told us the best way to protect yourself is to use a “separate TFA (two – factor authentication) number on Twitter.” “People need to understand that even someone with your phone number puts you at risk, ” he continued.” We shouldn’t be so relaxed about whom we give our numbers and Twitter should certainlyn’t let people tweet and control accounts by sending texts without authentication.”
