Security

Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits

Exploitable API blew away anonymity, abused by systems in Iran, Israel, Malaysia

By Kieren McCarthy in San Francisco

39 SHARE

Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization.

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

In other words, this Twitter security hole was a giant intelligence gathering opportunity,

Brexit bad boy Arron Banks' Twitter account hacked: Private messages put online

READ MORE

Twitter says that it initially only saw one person “using a large network of fake accounts to exploit our API and match usernames to phone numbers,” and suspended the accounts. But it soon realized the problem was more widespread: “During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.”

For what it’s worth Twitter apologized for its self-imposed security cock-up: “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

It’s worth noting that users who did not add their phone number to their Twitter account or not allow it to be discovered via the API were not affected. Which points to a painfully obvious lesson: don’t trust any company with more personal information than they need to have. ®

Sign up to our NewsletterGet IT in your inbox daily

39 Comments

Related

Iran says it staved off cyber attack but doesn't blame US

Here's a rundown of some of the Middle East's cyber argy-bargy

Oil be damned: Iran-based crooks flinging malware at Middle Eastern energy plants again – research

ZeroCleare wipes up where Shamoon left off

Iran kills the internet for its people's own good as riots grip the Middle Eastern nation

Country offline for third day in response to protests

Cyber-warnings, cyber-speculation over cyber-Iran's cyber-retaliation cyber-plans post-Soleimani assassination

Experts reckon regional infrastructure is in the cross-hairs

The eagle has handed.... scientists a serious text message bill after flying through Iran, Pakistan

A bird on the band is worth more than your entire research budget

Iran's blame-it-on-Bitcoin 'leccy shortage probably isn't a US hack cover story... yet

Comment But just imagine Stuxnet: Consumer Edition

Iran tried to hack hundreds of politicians, journalists email accounts last month, warns Microsoft

No confirmation from Trump yet whether he asked them to do it

Iran is doing to our networks what it did to our spy drone, claims Uncle Sam: Now they're bombing our hard drives

Tehran's hackers are 'wiping' infected machines as tensions spike, fresh sanctions approved

Voyager 2 gets back to sciencing while 'unstoppable' Iran promises world more 'Great Iranian Satellites'

Roundup Also: UK's OneWeb fires off 34 sats and NG-13 Cygnus scrubbed

Iran satellite fails: ICBM test drive or microsat test? Opinion is divided...

Third stage failure means atmospheric fireworks show

Whitepapers

Delivering Instant Experiences: Optimizing the Performance, Cost and Capacity of Data-Driven Applications

How can you accelerate data processing to keep up with accelerating business demands for an instant experience? Get the answer to this question and more in this webinar.

Customer Experiences for the New Decade: Tales, Learnings, and Pitfalls

In this session, César Marto, Associate Partner, Digital Technology from Deloitte will show you how any company can leverage emerging technologies such as AI and AR/VR to design innovative customer and partner experiences.

How to Fortify Your Organization’s Last Layer of Security – Your Employees

People impact security outcomes, much more often than any technology, policy or process.

Accelerate and Modernize Your SQL Server Deployments

Learn how Intel® Select Solutions for SQL Server are designed to enable simplified deployments and optimized performance for SQL Server environments.