You can no longer post a message on Twitter just by sending an SMS… although the feature might come back at a later date.
Twitter’s official support account announced that the feature was being disabled on Wednesday evening, just days after Twitter’s own CEO, Jack Dorsey, had his account hijacked.
Whoever was responsible for spewing out a series of unsavoury tweets from the @jack account to millions of followers succeeded because they successfully tricked Dorsey’s mobile phone operator into giving them control of his phone number.
The technique, which uses social engineering to convince mobile phone operators into thinking you’re really the person whose number you’re trying to steal, is known as a SIM swap attack (also sometimes called a Port Out scam).
Twitter’s CEO isn’t the only person to fall victim to the scam in recent days. Other victims have included actress Chloë Grace Moretz, and a variety of YouTubers with large followings.
As I wrote earlier this week:
“if Twitter is going to accept SMS messages from your mobile phone number and automatically broadcast them to the world, you had better be feeling darn confident that no-one else is going to gain access to your phone – or seize control of your mobile number.”
With mobile phone operators too often being duped into letting fraudsters hijack mobile phone numbers through SIM swap fraud, and even Twitter’s own boss falling victim, the site couldn’t really allow the madness to continue for much longer.
Hence tonight’s announcement:
We’re temporarily turning off the ability to Tweet via SMS, or text message, to protect people’s accounts.
We’re taking this step because of vulnerabilities that need to be addressed by mobile carriers and our reliance on having a linked phone number for two-factor authentication (we’re working on improving this).
We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-term strategy for this feature.
My guess is that Twitter will bring back tweeting via SMS text message at some point. It is, after all, attractive in parts of the world where there has been a lower adoption of smartphones.
But I really do hope the site has finally got to grips with the security around the feature, taking better steps to authenticate users than just looking at the mobile phone number they are tweeting from, and perhaps even disabling the feature for the majority of us who have no use for it.
You can listen to more about the hack of Jack Dorsey’s Twitter account, and SIM swap fraud, in this episode of the “Smashing Security” podcast (recorded before Twitter disabled the tweet via SMS functionality):
Smashing Security #144: 'Google helps the FBI, Twitter Jack’s hijack, and car data woes'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.