Security Firm Briefly Hijacked Accounts on Twitter to Show Vulnerability

Posted on

Some popular Twitter accounts were hijacked briefly late last year by security firm Insinia to show the alleged flaws in the social media platform. Mike Godfrey, who runs the U.K.-based cybersecurity business, said that his team hijacked accounts to show how anyone who knows the phone number of a user can tweet from his or her account if it is linked to a phone number.

Warned about the danger of hijacked accounts in past

The accounts of several high-profile users displayed messages saying that they have been hacked by the cybersecurity firm. The firm said in its blog that it managed to do this by analyzing the way the company was handling messages posted through mobile devices. The company explained that knowing the phone number of a person could allow attackers to send messages from accounts that they do not control.

TV presenter Saira Khan and travel journalist Simon Calder are some of the celebrities whose accounts were hijacked temporarily by the firm. The bug letting the hijack happen is not new; it has existed for six years. Insinia Security, which denies breaking any law, says it perpetrated the hack to raise awareness about the flaw, as Twitter was doing nothing to fix it.

The firm said it warned about the flaw in the past as well. The company said that it warned about the issues of using text messages for security in March in the Telegraph, and that in November, it underlined the same issue again.

Attack was done without permission

Godfrey revealed that his company informed the targets of the attack and their susceptibility to it in advance, but he conceded, however, that they didn’t exactly agree to it.  Simon Calder told BBC that the attack was done without his permission, and called it an annoying and tedious experience that did not impress him.

Prof Alan Woodward from the University of Surrey told BBC that interfering with the accounts of other people is irresponsible. Another expert said that this kind of action by the cybersecurity firm could be a violation of the Computer Misuse Act.  Insinia recommended users to remove their phone numbers from their accounts as a safety measure.

Continue reading