Twitter bug allowed user to match 17 million numbers with actual Twitter accounts


It looks like Twitter may have to do some major security upgrades to its platform (and maybe even its team?) as bug after bug has been exposing its vulnerabilities and its users may eventually be affected if bad actors decide to take advantage of it. After a “malicious code” may have exposed some of its accounts, now a security researcher has exploited a flaw in the app which allowed him to match around 17 million numbers with the Twitter accounts connected to it.

According to Tech Crunch, a security researcher named Ibrahim Balic was able to find this bug on the Twitter app where you can upload lists of generated phone numbers on the contacts upload feature. This will then fetch user data and so eventually you’ll be able to match the number with the connected account of specific people who used their numbers when signing up for their account.

The contact upload feature doesn’t accept sequential phone numbers though and so the numbers he generated, he then had to randomize and upload on the app. This is probably the “safeguard” so people won’t be able to use it for that purpose, but even in the randomization, the end result was the same. In two months, he was able to match records of users from countries like Israel, Turkey, Iran, Greece, Armenia, France and Germany.

Of course, Twitter eventually got wise about this and started blocking his efforts around December 20. A spokesperson said that they will make sure that this bug cannot be exploited again. They also suspended the accounts that used to “inappropriately access people’s personal information”. For his part, Balic used a WhatsApp group to warn people about this vulnerability, although he did not contact Twitter directly for some reason.

This particular bug doesn’t seem to be connected to the other bug that allowed “bad actors” to see your nonpublic account information like Direct Messages, location information, etc. They were able to quash that bug last November but sought to inform users that may have been affected.

via Android Community

December 25, 2019 at 08:14PM