From Verizon to Apple, a hidden texting flaw has finally been patched

Researchers were able to impersonate people in a phone's adress book (right) and insert spoofed texts into existing text threads. Credit: University of California San Diego

A major security vulnerability that allows attackers to easily fake their identity in smartphone text conversations has been fixed in the United States thanks to a team of computer scientists at the University of California San Diego. The vulnerability affected both Android and Apple smartphones as well as all major wireless carriers, including Verizon, T-Mobile and Google Fi, and smaller independent operators such as Mint Mobile.

Once they discovered the vulnerability, which stems from the ability to send text messages via email, the research team worked closely with smartphone companies and cellular carriers to develop mitigation strategies and fix the issue.

The researchers presented their work at the 47th IEEE Symposium on Security and Privacy from May 18 to 21 in San Francisco.

Most major cellular carriers introduced the option to send text messages via email in the early 2000s as a way to help popularize the new medium. But email messages and text messages have different internal formats and conventions, so carriers have to automatically translate from one message "language" to another. Unfortunately, much can get lost in translation and attackers can exploit this ambiguity to impersonate senders.