Twitter bug let researcher match 17 MILLION numbers with accounts
In a major case, a security researcher has revealed that a flaw in Twitter's app allowed him to match as many as 17 million numbers to the users of the service. The security issue, he said, only existed in the Android app - not web or iOS version - of the service and was fixed on December 20. Here's all about it.
Matching phone numbers with Twitter user accounts
The bug in question, Ibrahim Balic claimed, opened a way to match numbers with Twitter user accounts and their information. Essentially, he was able to use the contacts upload feature of the Twitter Android app to match millions of numbers with Twitter accounts of users. "If you upload your phone number, it fetches user data in return," Balic told TechCrunch while detailing the flaw.
Balic had to randomize numbers to match them
In his detailed overview of the issue, Balic noted that the contacts upload feature didn't work when he tried uploading a list of numbers in a sequential format - a probable failsafe built to prevent number matching. However, when he generated 2 billion numbers one after the other and randomized them, the app took no time to match them with accounts.
Balic informed vulnerable users via WhatsApp
Balic exploited the issue for about two months and was able to match numbers with users in Israel, Turkey, Iran, Greece, Armenia, France and Germany. In many cases, he even identified high-profile accounts, including those of politicians and government officials. However, instead of informing Twitter about the same, he informed many vulnerable users himself on WhatsApp.
Twitter issued a fix on December 20
The number-matching exploit was finally blocked when Twitter patched the issue and updated its Android app. Notably, on December 20, the microblogging company had alerted users about a bug in its Android app that may have exposed some of their personal information, including location and protected tweets. However, it remains unclear if these were two different issues or just one.
Twitter said it is working to prevent similar exploits
A spokesperson for Twitter said they are working to prevent further exploits of the bug. "Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information," the representative said. "Protecting the privacy and safety of the people... is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs."
