High Profile Twitter Account Hijacked By Security Firm
They've done it again several high-profile Twitter accounts have been briefly hijacked to expose alleged flaws in the service.
The accounts of Eamonn Holmes, Louis Theroux and several others briefly showed messages saying they had been taken over by Insinia Security.
In a blog, the firm said it managed the feat by analysing the way Twitter handles messages posted by phone.
Knowing a person's phone number could let attackers send messages from accounts they do not control, it said.
It recommends that Twitter users remove their phone number from their accounts as a precaution.
Other celebrities whose accounts it temporarily hijacked included the travel journalist Simon Calder and the TV presenter Saira Khan.
Insinia said it had repeatedly warned about the problem in the past.
But it has faced criticism for its latest attempt to publicise the issue.
Mr Calder confirmed to the BBC that the attack had been done without his permission and described it as a "tedious" and "annoying" experience that had left him feeling unimpressed.
One cyber-security expert said it would be normal practice for researchers to carry out such a "proof of concept" by hacking their own accounts or those of co-operating volunteers, not unaware members of the public.
"Interfering with many people's accounts in this way is irresponsible," said Prof Alan Woodward from the University of Surrey.
"As frustrating as it might be for the researchers in question when Twitter maintain this functionality that can be abused, unauthorised interference with accounts is unacceptable."
Another expert added that such action could be a breach of the Computer Misuse Act.
Professor Peter Sommer from Birmingham City University said some cyber-security professionals had lobbied to allow unauthorised access in special circumstances, for example to improve security," said Peter Sommer from Birmingham City University.
"But at the moment the only exceptions are for the police and intelligence agencies."
Mike Godfrey, chief executive of Insinia, said his firm had only "passive interaction" with the Twitter accounts it targeted and denied it had broken the law.
"Nothing has been maliciously hacked," he told the BBC.
"We have not had access to any Twitter account and have not seen any of their direct messages.
"There's nothing unethical or irresponsible about what we did."
Another cyber-security company that discussed the same Twitter vulnerability earlier this month noted that when it hijacked Computer Weekly's Twitter account it did so with the magazine's permission.
Remote attack
Insinia's spoofed messages read: "This account has been temporarily hijacked by Insinia Security." They appeared on the targeted accounts late on 27 December.
Insinia reassured victims of its demonstration in a tweet saying "The user of this account has not lost access to it, no data compromised and is not under attack".
In its blog, Inisina explained that it had managed to inject its messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent.
🙏 ```Good day chums```
_Digital Marketer 💹_
Gift cards💳 (ITunes and the likes) We buy
```🌹Web designs🌹👨💻 at affordable price```
We place Ads📢🌏
_We can help you reach people of all sort_
```☠Penetration Testing ☠```
We find solutions to:
_Hardware & Software_
Problems
Its all about tech👌
Dales got your back
Call me +2348135901193
Knowledge about this process, coupled with publicly available information on Twitter's text message policies and a target's phone number allowed the security firm to post messages that appeared to come from the account's real owner.
Inisina has called on Twitter to issue a fix saying the vulnerability could be exploited to send fake news or spread disinformation.
Additionally, it said, the shortcomings could be used to "send direct messages to trusted contacts in the victim's network to socially engineer people into clicking links that will install advanced malware to remotely control devices".
Anyone worried that they might fall victim to this kind of spoofing attack should remove their phone number from their Twitter account, it added.
Article first published in BBC
Your experience matters to us don't forget to comment.
Please remember to share with family and friends.
Click here to join my telegram channel for more updates on tech, science news, browsing tricks and latest news
Click here to join our WhatsApp group 2 for the latest updates about browsing tricks and news
No comments:
Post a Comment