Security researcher and developer Jonathan Rudenberg has shown that an old SMS spoofing trick slipped past the security teams of social-media giants Facebook and Twitter, and US mobile payment application Venmo.
The flaw exploits the ability for attackers to specify what phone number an SMS originated from, along with the lack of checks in place on Facebook, Twitter and Venmo's sides to verify that the information is authentic.
An attacker exploiting these quirks could fraudulently make status updates or mobile payments where these features have been made available via SMS.
Rudenberg documented the response of all three companies on his blog, and of them, Venmo was the quickest to respond to the issue. Being a relatively small company, Rudenberg had problems with finding the right contact to speak to regarding the vulnerability. Once he contacted Braintree, which purchased Venmo only recently, its security team shut down its feature for mobile payments via SMS just two days later.
It's worth noting at this point that Venmo doesn't have an extensive security team. It does have a dedicated risk and fraud manager, Eran Kimchi, but he is not part of the software team, and, judging by his background at Google and PayPal, he appears to be more of an analyst type.
Facebook and Twitter, which are known for having dedicated security teams, were not so fast to respond, despite Rudenberg using his influence to force both companies to give the issue greater attention. Rudenberg initially notified Facebook of the issue on August 19. Failing to get a response, he had a friend on the inside bump the issue internally, and received notification that the issue had been resolved on November 28 — 101 days later.
Twitter, on the other hand, took 107 days, after Rudenberg notified it on August 19.
"The issue I filed was initially inspected by a member of their security team, but was then routed to the normal support team, who did not believe that SMS spoofing was possible. I then reached out directly to someone on the security team, who said that it was an 'old issue,' but that they did not want me to publish until they got 'a fix in place.' I received no further communication from Twitter," Rudenberg wrote on his blog.
Rudenberg requested an update on the issue on October 15, and, upon receiving no response, notified Twitter on November 28 that he would be disclosing the issue publicly. Upon writing up the vulnerability and posting it on his blog yesterday, Twitter has since come back today and confirmed that the issue has been resolved.
For his efforts, Rudenberg will receive a minimum bug bounty of US$500 from Facebook. Neither Twitter nor Venmo have a similar bounty scheme. At the time of writing, Rudenberg is not listed by Twitter on its list of White Hats that it would like to thank for improving its security, a courtesy that Rudenberg is more than worthy of.
Venmo's response was warranted, given that its customers' money was at risk, but that speaks volumes about how Facebook — and Twitter, to a lesser extent — view the reputation and personal information of its users. I would argue that personal information is more valuable than money, given that money can always be replaced; there are forms of insurance for that. A trashed reputation or leaked personal information, however, is forever.
Given that the issue wouldn't have affected the majority of its user base, why weren't posts via SMS simply disabled while a fix was sought? Coding the fix would be a complex issue, but understanding that it presents a risk should not take that long. After all, a small startup that six months ago barely had 25 employees could figure out the issue in a few days.
The truth is, Twitter and Facebook probably didn't see the issue as significant enough to warrant the inconvenience to users. And what this means is that even if they say privacy and security are supposed to be their most important issues, they have lost priority to convenience.