A security researcher confirmed he has matched 17 million phone numbers to Twitter user accounts by manipulating a flaw in Twitter’s Android app.
Ibrahim Balic discovered that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. He said, “If you upload your phone number, it fetches user data in return.”
How Did He Find the Bug?
The Researcher pointed out that Twitter’s contact upload feature doesn’t accept lists of phone numbers in a sequential format to prevent this kind of matching.
That’s why, to counter this issue, he generated more than two billion phone numbers, one after the other, randomized , and uploaded them to Twitter through the Android app. Balic said that the bug did not exist in the web-based upload feature.
Balic said he matched records from users in Israel, Iran, Turkey, Armenia, Greece, France, and Germany over a month. He had to stop after Twitter blocked the effort on December 20.
Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site’s password reset feature, TechCrunch authenticated his findings by comparing a random selection of usernames with the phone numbers that were provided. In one case, a senior Israeli politician was also using their matched phone number, which was identified by TechCrunch.
In an effort to warn the users directly, Balic took many of the phone numbers of high-profile Twitter users including politicians and officials to a WhatsApp group. However, he did not alert Twitter about the vulnerability.
It’s not believed Balic’s efforts are related to a Twitter blog post published this week, which confirmed a bug could have allowed “a bad actor to see nonpublic account information or to control your account such as tweets, direct messages, and location information.”
Words from Twitter
According to TechCrunch, a Twitter spokesperson told the company was working to “ensure this bug cannot be exploited again.”
The spokesperson said, “Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter’s APIs”.
It is the new security lapse involving Twitter data in the past year. In May, Twitter admitted it gave account location data to one of its partners; although the user opted-out of having their data shared. In August, the company said it negligently gave its ad partners more data than it should have. Just last month, Twitter confirmed it used phone numbers provided by users for two-factor authentication for serving targeted ads.
Previously in 2013, Balic was known for identifying a security flaw breach that affected Apple’s developer center.