Twitter’s Authentication Has Vulnerabilities

Twitter’s SMS-based, two-factor authentication feature could be abused to lock users who have not enabled it for their accounts if attackers gain access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.

Twitter introduced two-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users’ accounts even if they manage to steal their usernames and passwords. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.

According to Sean Sullivan, a security advisor at F-Secure, attackers could actually abuse this feature in order to prolong their unauthorized access to those accounts that don’t have two-factor authentication enabled. The researcher first described the issue Friday in a blog post.

An attacker who steals someone’s log-in credentials, via phishing or some other method, could associate a prepaid phone number with that person’s account and then turn on two-factor authentication, Sullivan said Monday. If that happens, the real owner won’t be able to recover the account by simply performing a password reset, and will have to contact Twitter support, he said.

This is possible because Twitter doesn’t use any additional method to verify that whoever has access to an account via Twitter’s website is also authorized to enable two-factor authentication.

When the two-factor authentication option called “Account Security” is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can simply click “yes,” even if they didn’t receive the message, Sullivan said.

Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to confirm that two-factor authentication should be enabled, Sullivan said.

As it is, the researcher is concerned that this feature could be abused by determined attackers like the Syrian Electronic Army, a hacker group that recently hijacked the Twitter accounts of several news organizations, in order to prolong their unauthorized access to compromised accounts.

Some security researchers already expressed their belief that Twitter’s two-factor authentication feature in its current implementation is impractical for news organizations and companies with geographically dispersed social media teams, where different employees have access to the same Twitter account and cannot share a single phone number for authentication.

Twitter did not immediately respond to a request for comment regarding the issue described by Sullivan.

Source

AP Goes With Twitter

The Associated Press began using its official Twitter account as an advertising platform on Monday, as the news organization looks for new ways to generate revenue.

Samsung Electronics Co Ltd was the first sponsor on the @ap account for breaking news, which is followed by 1.5 million Twitter users. The South Korean electronics maker’s initial “SPONSORED TWEET” promoted its events at the 2013 Consumer Electronics Show in Las Vegas this week.

AP did not disclose financial details of the arrangement.

Twitter, which sells ads directly to make money from the social media’s monthly base of 200 million users, will not receive any proceeds from the AP-Samsung deal.

The AP called the initiative part of a new business strategy and stressed that sponsored tweets will clearly be labeled to differentiate them from news tweets.

The ads provide AP a new income source as news organizations from newspapers to television face severe revenue declines in the face of high production costs.

While the AP was founded in 1846 by U.S. newspapers as a breaking news conduit, only 22 percent of its revenue comes from member fees. Photo licensing, advertising on its news application AP Mobile and YouTube channel are other revenue streams.

Source…