STOP: Twitter two-factor verification can be hacked in less than 140 characters

Head in HandsFans of social media were reassured this week as Twitter finally rolled out two-step verification, ostensibly making the service more secure for its millions of customers. This is a feature that other major companies like Microsoft, Google, and Facebook have already implemented and, on the surface, seemed a victory.

Not so fast. Security researchers at F-Secure are taking a closer look and deem the implementation “not great”. The problem, according to Sean Sullivan, is that “an attacker could use SMS spoofing to disable 2FA if he knows the target’s phone number”.

“The STOP command removes the phone number from the account — and that in turn disables Twitter’s 2FA”, says Sullivan, who did extensive testing on this.

Read the full article @ BetaNews.com.

Leave a Reply

Your email address will not be published. Required fields are marked *