Security researchers warn that multifactor authentication on Twitter contains a vulnerability allowing potential account takeover.
The vulnerability comes as Twitter enters its third week under the ownership of Elon Musk, a period during which key security and compliance staff at the company have departed, masses of employees and contractors have been laid off, and cracks have begun to show in the company’s customer-facing technology.
A researcher contacted Information Security Media Group on condition of anonymity to reveal that texting “STOP” to the Twitter verification service results in the service turning off SMS two-factor authentication.
“Your phone has been removed and SMS 2FA has been disabled from all accounts,” is the automated response.
The vulnerability, which ISMG verified, allows a hacker to spoof the registered phone number to disable two-factor authentication. That potentially exposes accounts to a password reset attack or account takeover through password stuffing.