The implementation of two-factor-authentication with Twitter is easy to get around, reports a security company. An attacker would need a target, only the phone number to know and be able to send sms messages to spoof.
The recently announced two-factor-authentication of Twitter relies entirely on text, and that is also the achilles ‘ heel of the system, according to research from F-Secure. A malicious attacker will have the phone number to know that the user has set for two-factor authentication. From that phone number must be an sms-message with the word “stop” to Twitter are sent, then two-factor authentication directly is disabled.
To the sms message from the phone number of the user to be able to send, must the attacker have the ability to spoofed sms messages. That is relatively simple; there is ready-made software with which it is possible and there are websites that sms spoofing as a service offering.
Incidentally, does two-factor authentication is not yet for Dutch and Belgian Twitter users. With two-factor-authentication during login in addition to password, a second code to be filled in, by a smartphone app is generated, or via text message is being sent. Twitter supports as the only major social networking site does not have the ability to get the codes with an app to generate.
