Security

Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits

Exploitable API blew away anonymity, abused by systems in Iran, Israel, Malaysia


Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization.

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

In other words, this Twitter security hole was a giant intelligence gathering opportunity,

Brexit bad boy Arron Banks' Twitter account hacked: Private messages put online

READ MORE

Twitter says that it initially only saw one person “using a large network of fake accounts to exploit our API and match usernames to phone numbers,” and suspended the accounts. But it soon realized the problem was more widespread: “During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.”

For what it’s worth Twitter apologized for its self-imposed security cock-up: “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

It’s worth noting that users who did not add their phone number to their Twitter account or not allow it to be discovered via the API were not affected. Which points to a painfully obvious lesson: don’t trust any company with more personal information than they need to have. ®

Send us news
39 Comments

EU attempt to sneak through new encryption-eroding law slammed by Signal, politicians

If you call 'client-side scanning' something like 'upload moderation,' it still undermines privacy, security

Google's Privacy Sandbox more like a privacy mirage, campaigners claim

Chocolate Factory accused of misleading Chrome browser users

Microsoft answered Congress' questions on security. Now the White House needs to act

Business as usual needs a real change

What's up with Mozilla buying ad firm Anonym? It's all about 'privacy-centric advertising'

Is such a thing possible for an industry that never respected people's wishes?

Adios, accountability: X to hide 'likes' for everyone this week

Hello, blackmail: Posters can still see who liked their stuff even if it's a secret from the rest of the digital town square

Microsoft Research chief scientist has no issue with Windows Recall

As tool emerges to probe OS feature's SQLite-based store of user activities

Biden bans Kaspersky: No more sales, updates in US

Blockade begins July 20 on national security grounds as antivirus slinger vows to fight back

Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

Redmond splats dozens of bugs as does Adobe while Arm drivers and PHP under active attack

DuckDuckGo AI Chat promises privacy for bot conversations

There's also an off switch

Arm security defense shattered by speculative execution 95% of the time

'TikTag' security folks find anti-exploit mechanism rather fragile

Google’s attempt to kill off child privacy app advertising lawsuit defeated

Won't somebody pleeease think of the ... oh, right, they are

AWS is pushing ahead with MFA for privileged accounts. What that means for you ...

The clock is ticking – why not try a passkey?