Turns out it’s really easy to spoof the source address of an SMS message. This means that services that trust the source address implicitly are vulnerable to spoofing — and Twitter’s one of them. If you’re in the US and have SMS enabled, turn it off. If you’re outside the US, Twitter offers a PIN code feature that lets you pre-pend a 4-digit code to prove it’s really you.
On the “use your smartphone to spoof a hockey-puck” front, this is kind of sad. Beyond telling the world how you slept through another physics lecture, SMS is arguably the more private of the “real phone’s” two main features. (Voice recognition.)
“Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. The attacker only needs knowledge of the mobile number associated with a target’s Twitter account. Messages can then be sent to Twitter with the source number spoofed.
Like email, the originating address of a SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else’s number.
Facebook and Venmo were also vulnerable to the same spoofing attack, but the issues were resolved after disclosing to their respective security teams.
Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable. All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info.
All services that trust the originating address of SMS messages implicitly and are not using a short code are vulnerable.
Until Twitter removes the ability to post via non-short code numbers, users should enable PIN codes (if available in their region) or disable the mobile text messaging feature.
Twitter has a PIN code feature that requires every message to be prepended with a four-digit alphanumeric code. This feature mitigates the issue, but is not available to users inside the United States.”