TWITTER'S NEW two-factor authentication feature could be abused to lock users who don't have it enabled out of their accounts if attackers obtain their login credentials, researchers from Finnish antivirus vendor F-Secure say.
The feature, introduced in May, is an optional security measure intended to make it harder For attackers to hijack i^ars’ accounts. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.
According to Sean Sullivan, a security advisor for F-Secure, attackers could abuse this feature to prolong unauthorized access to those accounts that don’t have two-factor authentication enabled.
When the two-factor authentication option called 'Account Security’ is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can click ‘yes’ even if they didn't receive the message, Sullivan says.
Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to verify that two-factor authentication should be enabled, Sullivan says.
At the time of this writing, Twitter had not immediately responded to a request for comment regarding the issue that Sullivan describes.
Twitter probably rushed to release this feature and didn't fully consider all of its aspects, Sullivan says, but he adds that this is likely only the first step; he believes the company will eventually have a solid implementation
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment