Despite claims of a fix by Twitter, researchers at a Britain-based security firm who earlier hijacked accounts of several celebrities and journalists to expose a vulnerability have said that the loophole still persists at the popular social media platform.
Insinia Security last week said it successfully hijacked the accounts of a number of celebrities, including Eamonn Holmes, Louis Theroux, Simon Calder and Saira Khan among others.
To take control of the accounts, the researchers at the company used fake SMS verification that made it appear as if they belonged to the account owners, The Telegraph reported.
A Twitter spokesperson told reporters on Friday that it had “resolved a bug that allowed certain accounts with a connected UK phone number to be targeted by SMS spoofing.”
But the hackers who posted the unauthorised tweets to celebrity accounts appeared to reproduce the experiment after Twitter made its claim, Gizmodo reported on Monday.
A simple method allowed researchers at Insinia Security to send tweets, direct messages, retweet and like tweets, follow and unfollow people, according to the company which warned that the vulnerability could be easily exploited by nation states, hackers and organised crime groups.
The vulnerability could be used to “spread fake news and disinformation via influential celebrities and journalists”, Insinia warned in a blog post.
Insinia recommended that users should remove their phone number from the Twitter account untill the bug is fixed.
“Twitter should completely remove this functionality (SMS verification) as users rely on their phone added to account for two-factor authentication,” Insinia said.