Twitter API Flaw Exposed 17 Million Phone Numbers
Posted: December 26, 2019 to News.
Ibrahim Balic, a security researcher, recently exposed a flaw in Twitter's app that allowed to match unique Twitter user accounts with 17 million phone numbers months ago. He was able to accomplish this by uploading large lists of phone numbers by way of Twitter's "Contacts Upload" feature that is available on the social media giant's Android app.
It is interesting to note, too, that the "Contact Upload" feature won't accept the lists when the numbers are in sequential order. He had to generate the numbers by hand, then he randomized them into the app. So it appears that while Twitter did possibly anticipate this could happen, they didn't go far enough in protecting their users. Fortunately, though, this bug only existed in the Android app; it doesn't exist in the web-based "Contact Upload."
He also discovered that if you upload your phone number, Twitter will provide you with user data. The researcher was able to match these records over the course of two months. The data flow was stopped when Twitter finally blocked him on December 20.
Balic has yet to go to Twitter with this finding, but he did contact many of the high-profile users he was able to uncover, via a group text in WhatsApp in order to notify them directly. But Twitter is apparently aware of the problem and they have publicly stated that they are working hard to fix the bug.
Let's hope the fix comes sooner, rather than later.
Need help implementing these strategies?
Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
