The account of Twitter CEO Jack Dorsey had his account hacked on Friday. It's believed that Dorsey fell victim to a vulnerability that Twitter had been warned about in the past, but didn't believe it to be an issue.
Hacker group Chuckling Squad Tweets through Dorsey’s account
Dorsey's account tweeted out several racist and offensive tweets for a good 20 minutes during Friday afternoon. The hackers who apparently go by the name Chuckling Squad, have also compromised other high-profile accounts. Twitter acknowledged that the account had been hacked and said that they had since secured Dorsey's Twitter handle again.
A combination of SIM swapping and tweet through text
It seems like the tweets weren't sent out as a result of Dorsey's account being hacked. The hacker spoofed Twitter servers into believing that they were using his phone by getting Dorsey's number associated with another SIM card, also known as a SIM swap or SIM jack.
The hackers would then send the tweets via Cloudhopper. Cloudhopper is an SMS company purchased by Twitter in 2010 back when users were regularly posting tweets via SMS messages. If texts from phones associated with Twitter accounts are sent to the number 40404, then the message will be tweeted on the account and labeled with the Cloudhopper name.
This works with all newly created accounts, which are automatically opted into tweeting by text. CNN tested it for themselves and proved that it was possible to send a tweet via text without ever being asked for a password - or even logging into Twitter.
SIM swaps are making phone authentication less secure
Being able to tweet through text was once considered to be a harmless feature that could save users time. A phone number has become a far less secure way of identifying someone than it was in 2010, though. There have been several cases of "SIM jacking" in recent years. SIM jacking is when a hacker convinces a phone company they lost their SIM card and request that their phone number be transferred to a different card.
Twitter sent out a tweet on Friday that suggested this is what happened with Dorsey. They said that "The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed the unauthorized individual to compose and send tweets via text message from the phone number. That issue is now resolved."
Twitter was warned about the bug in 2012
SIM hacking isn't even required to spoof phone numbers. Security researchers have previously spoofed a phone number attached to an account and convinced Twitter to allow them to post tweets through the spoofed messages. At the time, Twitter said that it was a bug and that they had resolved the issue.
Twitter published a blog post in 2012 responding to reports it was possible for a hacker to spoof a phone number and send tweets via text. The post explicitly denied the possibility US users could be "hacked" in such a way. Much to Twitter's embarrassment, it turns out it can.
Besides the tweets about Dorsey account, Twitter has yet to make any official statements about the vulnerability.