Tech companies and social media giants have all had a bad year when it comes to security scandals and data breaches. Now Twitter is faced with another scandal where a researcher claimed that a Twitter bug allowed him to match 17 million phone numbers to user accounts by exploiting a vulnerability in Twitter’s Android app.
According to the researcher, these phone number included many high-profile politicians and officials too. The security researcher is Ibrahim Balic who resides in London and works as a software developer. Balic revealed to TechCrunch that it was possible to upload a list of generated phone numbers through Twitter’s contact upload feature. Balic told TechCrunch:
If you upload your phone number, it fetches user data in return,
According to the researcher, Twitter normally doesn’t accept phone number in sequential format maybe for this very reason to prevent this type of matching but what he did was generate more than two billion phone numbers and randomized them and then he went ahead and uploaded them to Twitter through the Android app. According to him, this bug wasn’t present in the web-based contacts upload feature and only on the Android app.
According to Balic, Twitter bug was fixed this by December 20th but by then Balic was able to match all these phone numbers which included users from Turkey, Israel, Iran, Greece, Armenia, France and Germany.
Based on the TechCrunch report, the researcher did provide them with sample of the phone numbers and TechCrunch was able to verify his claim by comparing random selection of usernames with these based through the sire’s password reset feature.
Balic, did however used a WhatsApp group to warn users directly with the phone numbers he was able to match including the numbers of high-profile politicians. However, he did not alert Twitter about the security bug.
A Twitter spokesperson did tell Crunch Crunch that they are making sure that this bug isn’t exploited again saying:
Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs,
Twitter has had a bad year with these security issues and data leaks. Just a few months ago Twitter admitted that it gave it’s ad partners more information then they should have confirming that location data was given to them. Twitter then admitted to have used user phone numbers that were provided to serve targeted ads. Also, just recently, Twitter made a blog spot saying that the a bug could have given access to users private data to a “bad actor” after a bug might have been exploited in it’s Android app. You can read the complete details about this in our report.