Twitter is one of the most widely used social media platforms in the world. This fact makes it a prime target for attackers, seeking private information of its wide array of users from around the world. In the first week of February, the social media platform revealed that an investigation carried out by it found that an API vulnerability allowed miscreants with fake accounts to match usernames to phone numbers in its database.
Twitter said that a high volume of IP requests came from different countries and seem to have originated from Iran, Israel, and Malaysia. The hackers are believed to be state-sponsored. The social media platform has already weeded out several accounts after carrying out a thorough investigation.
This vulnerability was first revealed by the cybersecurity researcher Ibrahim Balic in December last year. Balic claimed to have matched a whopping 17 million phone numbers to their accounts by exploiting vulnerabilities in the Android application of Twitter. He explained that by using Twitter’s contacts upload feature, it was possible to sync entire lists of generated phone numbers. Over a period of two months, the researcher was able to match numbers of users from countries like Israel, Turkey, Iran, Greece, Armenia, France, and Germany to their accounts.
The API endpoint matches numbers to accounts for users you have enabled the option “Let people who have your phone number find you on Twitter.” The users who did not have this option activated or had no phone number associated with their accounts were not exposed to this threat.
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” Twitter alerted its users in a blog post in the first week of February.
It is the latest security breach involving Twitter data. In May 2019, it admitted sharing location information of its users without their consent. And, just three months after that, Twitter claimed it accidentally shared more private data to its partners. This was followed by the discovery of another flaw that led phone numbers given by users for authentication being misused by advertisers.
Twitter said in the blog post that it patched the latest leak and was “sorry” about the security lapse. “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day. You can reach out to our Office of Data Protection through this form if you have questions,” the blog post read.