A Twitter spokesperson explained to The Guardian that the bug “allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.” It’s not entirely clear what makes certain accounts susceptible to the bug, but as Gizmodo explains, Insinia was able to send out unauthorized tweets using “longcodes.” See, Twitter uses two kinds of numbers for tweeting via SMS: longcodes and shortcodes. The former looks like a typical phone number, while the latter is just three to five digits. It’s different for every country and, sometimes, every carrier — the USA uses a shortcode (40404), for instance, while the UK uses both shortcodes and a longcode (+447624800379).
That spokesperson also announced that the social network already “resolved the bug,” but Insinia said it was able to hijack accounts even after Twitter claimed that it rolled out a fix. While hackers won’t be able to access DMs or personal details by exploiting this particular flaw, Insinia chief Mike Godfrey said his company conducted the experiment to show how text messaging should not be used to verify people’s identities.
“We should not be using 50-year old technology,” he explained. “It is massively flawed by design. Even someone completely unskilled could carry [out] this attack within half an hour. This took us 10 minutes.”
Godfrey was also hoping that putting a spotlight on the issue would compel Twitter to issue a solution, seeing as this problem could be going on for a few years now. As Gizmodo noted, Twitter admitted that it suffered from an SMS spoofing vulnerability way back in 2012. This seems to be the exact same bug, or at least a very similar one. If you’re in the US, though, you might not have to worry about randos tweeting for you: the company’s spokesperson said Twitter doesn’t “believe there is any significant risk to US-based account holders.”