Two-step Twitter authorization easily circumvent

Posted: May 28, 2013 in IT Security News
Tags: , ,

Twitter hackedImmediately after the two-step authentication on the Twitter site specialists noticed a strange procedure to activate it.

Enough to provide a phone number on the site – and click “OK”. That is not even necessary to enter the code, which came on the phone to confirm the correctness of the introduction of the telephone number. The same procedure applies when removing services.

Sean Sullivan of F-Secure has published an article describing the two-step authentication Twitter vulnerabilities and possible attack scenarios.

The weakness of a two-step authorization to Twitter in the fact that this service can be connected / removed simultaneously with the connection / removal services receiving tweets on your mobile phone. Last service has long been known and is easily compromised through SMS-spoofing. Just send an SMS-message with the word STOP to the number of Twitter in a particular country, citing as reverse phone number of the victim – and you cut off the victim a two-step authentication.

Sean Sullivan of F-Secure’s successfully tested the method described above: he managed to disable two-step authentication on someone else’s account. User protected through a two-step authentication, usually feels safe and choose a simple password. Thus, pick it is not difficult. Going into account, we can easily activate the two-stage authorization already on your phone. The same is true for users who have not subscribed for a two-phase authentication.

Even knowing the password, the victim will not be able to go to the site without the help of technical support Twitter.

Two-step authorization

Thus, you should enable two-factor authentication, as long as someone else did it for you, but be sure to use an unknown phone number.

Link:

http://www.f-secure.com/weblog/archives/00002560.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s