Twitter Bug On Android Allowed Researcher To Match 17 Million Phone Numbers With Accounts

Home » Twitter Bug On Android Allowed Researcher To Match 17 Million Phone Numbers With Accounts

A security researcher said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter’s Android app. Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature.
He mentioned that “If you upload your phone number, it fetches user data in return.” He also mentioned that Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format — likely as a way to prevent this kind of matching.

He generated more than two billion phone numbers, one after the other, then randomized the numbers and uploaded them to Twitter through the Android app.

Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, over a two-month period but stopped after Twitter blocked the effort on December 20.

While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.

While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.

It’s not believed Balic’s efforts are related to a Twitter blog post that was published this week, which confirmed a bug could have allowed “a bad actor to see nonpublic account information or to control your account,” such as tweets, direct messages, and location information.
A Twitter spokesperson told that the company was working to “ensure this bug cannot be exploited again. Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter’s APIs,”

The company admitted it gave account location data to one of its partners in May, even if the user had opted-out of having their data shared.

Twitter said in August that it inadvertently gave its ad partners more data than it should have. And just last month, Twitter confirmed it used phone numbers provided by users for two-factor authentication for serving targeted ads.

Source Link: https://www.gadgetsnow.com/tech-news/twitter-bug-allowed-to-match-17-million-phone-numbers-with-users-research/articleshow/72964821.cms

Leave a Reply

Your email address will not be published. Required fields are marked *

The following GDPR rules must be read and accepted:
This form collects your name, email and content so that we can keep track of the comments placed on the website. For more info check our privacy policy where you will get more info on where, how and why we store your data.