Today, Twitter released a statement that says the platform has suspended “a large network of fake accounts,” as well as many others “located in a wide range of countries,” for abusing an API feature that allowed them to match phone numbers to usernames.
Here's the official tweet.
We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo
— Twitter Support (@TwitterSupport) February 3, 2020
“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” the Twitter security bulletin says. “It is possible that some of these IP addresses may have ties to state-sponsored actors,” the post continued.
TechCrunch previously reported this same issue on December 24, which is also the day Twitter says that it “became aware” that the abuse was taking place, writes Devin Coldewey at TechCrunch.
Security researcher Ibrahim Balic found that a bug in Twitter’s Android app let him submit millions of phone numbers through an official API, which returned any associated user account.
Excerpt from today's TechCrunch report:
The feature is intended, if you have enabled it, to let friends who have your number look up your Twitter handle. But obviously submitting millions of numbers goes “beyond its intended use case.”
If you had turned this feature off, you weren’t affected by this bug. Fortunately for users in the EU this was opt-in there. But for the rest of the world it’s opt-out — so if you had a phone number associated with your account, you may have been affected.
Furthermore, the phone numbers include those provided for purposes of two-factor authentication, so those outside the EU may have been vulnerable to this exploit without realizing it.
Twitter has really hashed up this disclosure. No wonder initial reports got this wrong. Twitter still needs to explain its attribution here.
My @TechCrunch colleague, who isn't on Twitter (lucky him) has an accurate understanding of what went on. https://t.co/rwzPLqnhVc
— Zack Whittaker (@zackwhittaker) February 3, 2020
Twitter’s & @jack’s stunning failure to protect users’ privacy is a matter of life & death for human rights advocates & journalists around the world. Twitter must urgently notify those compromised by these attacks—their safety & freedom could be at immediate risk. https://t.co/NVhPObRTEf
— Richard Blumenthal (@SenBlumenthal) February 4, 2020
could mean many Iranian users were at risk:
twitter says some ppl were using large network of fake acc's to exploit its API & match usernames to phone numbers- high vol of such requests coming from addresses in Iran, Israel, & Malaysia, w/ possible ties to state-sponsored actors. https://t.co/TAjKs1dMeR— Hadi Nili (@HadiNili) February 3, 2020
"bad actors" – any of them got a blue tick on here….? https://t.co/5sEI6y11yT
— Trailer Swift (@Ninjamoose69) February 4, 2020
I don't understand. The attack worked only against users who configured accounts to be matched to their phone number. That means these users chose to allow people to match phone numbers to accounts, right? If so, how is this an attack? What am I missing? https://t.co/uoHopZHtoi
— Dan Goodin (@dangoodin001) February 4, 2020
Twitter data breach. Only potentially impacted when you have the option “let people who have your phone number find you…” enabled and your phone number set in Twitter. Remove your phone number, better safe than sorry! it’s not needed anymore for 2FA anyway #Infosec #GDPR https://t.co/K9v0u1COrr
— John Opdenakker (@j_opdenakker) February 3, 2020
😐
There now probably exists somewhere a list of phone numbers and account usernames. This puts 2FA security at risk for all those accounts.
Make sure your 2FA is secured via third party authorization app, not via text message https://t.co/wFDex9qxaq
— TJ Smith (@tjsmith) February 3, 2020
Just about everyone who demands a phone number ends up misusing it. https://t.co/D8Pf93JNuQ
— Emin Gün Sirer (@el33th4xor) February 3, 2020
A little surprised it took more than a month to disclose this but if you read my story back in December, you know this already. https://t.co/2PeaeZCugZ https://t.co/uFg8Y5tVQ6
— Zack Whittaker (@zackwhittaker) February 3, 2020