By Martin Cole
Twitter has shamefully admitted that a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twitter users.
In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24. That same Christmas eve day Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter’s contact upload feature, and match them to usernames.
Twitter admitted it observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”
The giant social media company said that on December 24, 2019 they became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. They swiftly moved in to suspend those accounts and said they were disclosing the details of their investigation to you today because they believe it is important the public is aware of what happened, and how we fixed it. Twitter said:
”During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.
When used as intended, this endpoint makes it easier for new account holders to find people they may already know on Twitter. The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.
After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint.