TweetSG – SMS to Update

Frequently Asked Questions -> Here

There was a technical issue with the gateway between 16:40 to 19:00, some of your activation/signup or updates may have been affected.

I apologize for any inconvenice caused.

Recently Twitter had a couple of security incidents. During 2 days of sign-up down-time due to OAuth correction by Twitter, I took at good look at my own system and discovered a loop-hole in the old sign-up flow.

The first step of sign-up redirects the user to Twitter website to authorize (or click Allow) TweetSG system. This ensures that the user really owns the Twitter account. Now if all users can be trusted and not attempt anything out of the ordinary, the old sign-up flow was just fine. In fact, it was very convenient to just submit your own number to complete the 2nd step of the sign-up.

Unfortunately, that approach can never ensure that the person who clicks submit is really the owner of that number. One of the way to ensure the user who is attempting to join really owns the number, is that the user to send a SMS to the system containing an generated activation code.

After putting the new code to live, I notice there were some orphan sign-ups that were unactivated. Likely due to mis-typing or sending to another number.

For users who sent the activation code but do not see any pop-up message on the sign-up page, please try again and check the code before sending.

It will be late to change the system if only after some cheeky user successfully hijacked a valid user’s number to link to some bogus Twitter account. Better to fix it before it even happen.