The Twitter API contains a private endpoint that can be abused to send arbitrary

1. The Twitter API contains a private endpoint that can be abused to send arbitrary text messages
2. ----------------------------------------------------------------------------------------------
3.  
4. 2015-04-28
5.  
6. 1. get "Twitter for iPhone" consumer tokens, available on the web like here https://gist.github.com/rhenium/3878505
7.  
8. 2. use the XAuth flow https://dev.twitter.com/oauth/xauth to get access tokens valid for some user, say @nst022
9.  
10. 3. POST an OAuth signed request to https://api.twitter.com/1.1/device/register.json with the following parameters:
11.  
12. raw_phone_number: +41764448212
13. text_message: Dahu
14.  
15. where "Dahu" can be an arbitrary message.
16.  
17. 4. the phone number used at point 3 receives a text message that reads "Dahu", plus a code
18.  
19. Here is a 23 seconds video that makes this scenario more visual: https://www.dropbox.com/s/4yzsfi8fnsrm3y5/twitter_api_abuse.mov?dl=0
20.  
21. You can reproduce the very same thing by using, say, STTwitter for OS X https://github.com/nst/STTwitter#demo--test-project
22.  
23. I can see two issues here:
24.  
25. a) this API endpoint can be used to harass people
26.  
27. b) this API endpoint can be used to trick victims into believing that the SMS was sent by Twitter and make them open a malicious URL or follow a malicious process