Twitter's two-factor authentication implementation can be abused, researchers say

Attackers could use it to lock users out of their accounts if they steal their log-in credentials, F-Secure researchers says

Twitter's SMS-based, two-factor authentication feature could be abused to lock users who don't have it enabled out of their accounts if attackers gain access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.

Twitter introduced two-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users' accounts even if they manage to steal their usernames and passwords. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.

According to Sean Sullivan, a security advisor at F-Secure, attackers could actually abuse this feature in order to prolong their unauthorized access to those accounts that don't have two-factor authentication enabled. The researcher first described the issue Friday in a blog post.

An attacker who steals someone's log-in credentials, via phishing or some other method, could associate a prepaid phone number with that person's account and then turn on two-factor authentication, Sullivan said Monday. If that happens, the real owner won't be able to recover the account by simply performing a password reset, and will have to contact Twitter support, he said.

This is possible because Twitter doesn't use any additional method to verify that whoever has access to an account via Twitter's website is also authorized to enable two-factor authentication.

When the two-factor authentication option called "Account Security" is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can simply click "yes," even if they didn't receive the message, Sullivan said.

Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to confirm that two-factor authentication should be enabled, Sullivan said.

As it is, the researcher is concerned that this feature could be abused by determined attackers like the Syrian Electronic Army, a hacker group that recently hijacked the Twitter accounts of several news organizations, in order to prolong their unauthorized access to compromised accounts.

Some security researchers already expressed their belief that Twitter's two-factor authentication feature in its current implementation is impractical for news organizations and companies with geographically dispersed social media teams, where different employees have access to the same Twitter account and cannot share a single phone number for authentication.

Twitter did not immediately respond to a request for comment sent Monday regarding the issue described by Sullivan.

Twitter probably rushed to get this feature out and didn't fully consider all of its aspects, Sullivan said. However, this is likely only the first step and the company will eventually have a solid implementation, he said.

Tags: online safety, security, Access control and authentication, twitter, f-secure

Today's Approach to Security is Broken

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.