A safety researcher mentioned he has matched 17 million telephone numbers to Twitter consumer accounts by exploiting a flaw in Twitter’s Android app.
Ibrahim Balic discovered that it was attainable to add total lists of generated telephone numbers by Twitter’s contacts add characteristic. “For those who add your telephone quantity, it fetches consumer information in return,” he instructed TechCrunch.
He mentioned Twitter’s contact add characteristic doesn’t settle for lists of telephone numbers in sequential format — doubtless as a method to stop this sort of matching. As an alternative, he generated greater than two billion telephone numbers, one after the opposite, then randomized the numbers, and uploaded them to Twitter by the Android app. (Balic mentioned the bug didn’t exist within the web-based add characteristic.)
Over a two-month interval, Balic mentioned he matched information from customers in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he mentioned, however stopped after Twitter blocked the trouble on December 20.
Balic offered TechCrunch with a pattern of the telephone numbers he matched. Utilizing the positioning’s password reset characteristic, we verified his findings by evaluating a random number of usernames with the telephone numbers that had been offered.
In a single case, TechCrunch was in a position to determine a senior Israeli politician utilizing their matched telephone quantity.
Whereas he didn’t alert Twitter to the vulnerability, he took most of the telephone numbers of high-profile Twitter customers — together with politicians and officers — to a WhatsApp group in an effort to warn customers immediately.
It’s not believed Balic’s efforts are associated to a Twitter weblog publish printed this week, which confirmed a bug might have allowed “a nasty actor to see nonpublic account info or to regulate your account,” reminiscent of tweets, direct messages and site info.
A Twitter spokesperson instructed TechCrunch the corporate was working to “guarantee this bug can’t be exploited once more.”
“Upon studying of this bug, we suspended the accounts used to inappropriately entry folks’s private info. Defending the privateness and security of the individuals who use Twitter is our primary precedence and we stay targeted on quickly stopping spam and abuse originating from use of Twitter’s APIs,” the spokesperson mentioned.
It’s the most recent safety lapse involving Twitter information up to now 12 months. In Might, Twitter admitted it gave account location information to one among its companions, even when the consumer had opted-out of getting their information shared. In August, the corporate mentioned it inadvertently gave its advert companions extra information than it ought to have. And simply final month, Twitter confirmed it used telephone numbers offered by customers for two-factor authentication for serving focused advertisements.
Balic is beforehand identified for figuring out a safety flaw breach that affected Apple’s developer middle in 2013.