- Click to share on Facebook (Opens in a new window)
- Click to share on Twitter (Opens in a new window)
- Click here to share on LinkedIn (Opens in a new window)
- Click to email a friend (Opens in a new window)
(CNN Business) - The Twitter account of Jack Dorsey, CEO of Twitter, was hacked on Friday, and may have been the victim of a vulnerability that Twitter had previously been warned of and repeatedly denied that it was a problem.
For approximately 20 minutes on Friday afternoon, Dorsey's account tweeted a series of racist and offensive tweets. Twitter quickly acknowledged that someone had hacked the account and said it was safe now.
The tweets appear to have been sent not from Dorsey's real account, but by the hacker or hackers who convinced Twitter systems that they had their phone and sent text messages to their account. It is likely that the hacker or hackers had not even needed Dorsey's password, or had requested it.
- The craziest day of Donald Trump on Twitter
The tweets were labeled as published by Cloudhopper, an SMS company that Twitter bought in 2010, when some users regularly used text messages to send tweets. Today, if a text is sent to 40404 from a US phone number. associated with a Twitter account, that account will publish the text and be labeled as coming from Cloudhopper.
CNN confirmed that this would work using a newly registered account, that Twitter automatically chose to send tweets via text messages. Then, with a phone that was never used to log in to Twitter and without being asked for a password, a CNN reporter was able to send a tweet via text message.
Look ma not logged in
- kevin collier (@ kevinco99119564) August 30, 2019
Hackers could use this method to send tweets from other accounts belonging to prominent figures, including US elected officials who are frequent Twitter users, such as President Trump, as long as the targets have not chosen not to tweet by text message . The White House and the Secret Service did not immediately respond to requests for comments on whether Trump's account has tweets enabled by text messages.
This method of tweeting may have once seemed a useful and harmless feature. But a phone number is considered a much less secure identifier today than in 2010. The last few years have seen the emergence of “sim jacking,” in which a hacker will convince a phone provider that he has lost his SIM card. and request that that number be transferred to a new card.
In a follow-up tweet on Friday night, Twitter hinted that this was what happened, writing: “The phone number associated with the account was compromised due to security supervision by the mobile service provider. This allowed an unauthorized person to write and send tweets through text messages from the phone number. That problem is already solved. ”
Phone numbers can also be imitated without “sim jacking”. Security researchers have previously been able to falsify a phone number associated with an account and convince Twitter to allow them to post tweets that way. Twitter said at the time that it was a mistake that had been resolved.
In 2012, Twitter posted on its blog, in response to reports that it might be possible for hackers to forge a phone number and send tweets by text message in this way. In that publication, he specifically denied that US users could be vulnerable to such hacking.
Twitter declined to comment beyond his tweets about Dorsey.