Twitter users with SMS enabled are vulnerable to an attack that allows anyone to post to their account. Users of Twitter that have a mobile number associated with their account and have not set a PIN code are vulnerable. All of the Twitter SMS commands can be used by an attacker, including the ability to post tweets and modify profile info. Messages can then be sent to Twitter with the source number spoofed," Jonathan Rudenberg, the researcher who discovered the bug, said in an advisory on the Twitter SMS flaw .
Facebook and Venmo were also vulnerable to the same spoofing attack, but the issues were resolved after disclosing to their respective security teams.
The vulnerability is a reault of the way that the Twitter service handles incoming commands from users's mobile devices. Twitter users have the option of turning on an option that allows them to post messages, follow and unfollow users and take other actions simply by sending SMS commands from their mobile phones. In order to do this, a user must register his mobile number with Twitter in his profile, so the service knows what account the commands are associated with. The problem, however, is that anyone who knows a user's mobile number can post messages, change profile settings and take other actions on the user's behalf.