A safety researcher mentioned he has matched 17 million cellphone numbers to Twitter person accounts by exploiting a flaw in Twitter’s Android app.
Ibrahim Balic discovered that it was attainable to add whole lists of generated cellphone numbers by means of Twitter’s contacts add function. “If you upload your phone number, it fetches user data in return,” he informed TechCrunch.
He mentioned Twitter’s contact add function doesn’t settle for lists of cellphone numbers in sequential format — doubtless as a option to stop this sort of matching. Instead, he generated greater than two billion cellphone numbers, one after the opposite, then randomized the numbers, and uploaded them to Twitter by means of the Android app. (Balic mentioned the bug didn’t exist within the web-based add function.)
Over a two-month interval, Balic mentioned he matched information from customers in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he mentioned, however stopped after Twitter blocked the hassle on December 20.
Balic supplied TechCrunch with a pattern of the cellphone numbers he matched. Using the location’s password reset function, we verified his findings by evaluating a random number of usernames with the cellphone numbers that had been supplied.
In one case, TechCrunch was capable of establish a senior Israeli politician utilizing their matched cellphone quantity.
While he didn’t alert Twitter to the vulnerability, he took lots of the cellphone numbers of high-profile Twitter customers — together with politicians and officers — to a WhatsApp group in an effort to warn customers immediately.
It’s not believed Balic’s efforts are associated to a Twitter weblog submit printed this week, which confirmed a bug may have allowed “a bad actor to see nonpublic account information or to control your account,” corresponding to tweets, direct messages and placement data.
A Twitter spokesperson informed TechCrunch the corporate was working to “ensure this bug cannot be exploited again.”
“Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs,” the spokesperson mentioned.
It’s the newest safety lapse involving Twitter knowledge up to now 12 months. In May, Twitter admitted it gave account location knowledge to one in every of its companions, even when the person had opted-out of getting their knowledge shared. In August, the corporate mentioned it inadvertently gave its advert companions extra knowledge than it ought to have. And simply final month, Twitter confirmed it used cellphone numbers supplied by customers for two-factor authentication for serving focused adverts.
Balic is beforehand recognized for figuring out a safety flaw breach that affected Apple’s developer middle in 2013.