Insinia Security hacked several high-profile Twitter accounts in order to publicize Twitter’s vulnerability. The vulnerability could allow attackers to send messages from accounts they do not control, just by knowing a person's phone number.
Insinia has repeatedly warned Twitter to fix the issue saying the vulnerability could be exploited to send fake news or spread disinformation. Additionally, the vulnerability could also be used by attackers to send direct messages to trusted contacts in the victim's network tricking them into clicking links that will install advanced malware to remotely control devices.
Insinia Security hacked several high-profile Twitter accounts to highlight security vulnerability in the social media network. Insinia's spoofed messages read: ‘This account has been temporarily hijacked by Insinia Security’.
Inisina explained in its blog that it had managed to inject its messages onto the targeted victims’ accounts by analyzing the way Twitter interacted with smartphones when messages are sent.
The security firm revealed that knowledge about the process, coupled with publicly available information on Twitter's text message policies and a target's phone number allowed them to post messages that appeared to come from the account's real owner.
Mike Godfrey, chief executive of Insinia, said his firm had only "passive interaction" with the Twitter accounts it targeted and denied it had broken the law.
“We have not had access to any Twitter account and have not seen any of their direct messages. Nothing has been maliciously hacked,” Godfrey told the BBC. “There's nothing unethical or irresponsible about what we did,” Godfrey added.
Further, Insinia Security recommends users to remove their phone number from their Twitter accounts as a precaution.
Criticisms from the security community
Due to its unconventional method, Insinia Security is facing some flak from the security community and the affected account owners for its attempt to highlight Twitter’s security issue. Travel journalist Calder confirmed to the BBC that the attack had been done without his permission and described it as a "tedious" and "annoying" experience that had left him feeling unimpressed.
"Interfering with many people's accounts in this way is irresponsible," said Prof Alan Woodward from the University of Surrey.
A cyber-security expert said that it is a normal practice for security researchers to carry out such a "proof of concept" by hacking their own accounts or those of co-operating volunteers, but not of an unaware public. Another expert added that such action could be a breach of the Computer Misuse Act.
Despite the questionable methodology employed by Insignia, the incident does prompt Twitter users to consider protecting their accounts with better security measures and avoid sharing sensitive information on the platform. It also call for Twitter to bolster the account security features that it provides to its users.