In a confirmation to the December 2019 leak of user phone numbers via its API, Twitter has come out with a blog post stating that its API could have been used to expose user data and phone numbers, in what the company speculates to be a ‘state sponsored’ attack.
Back in December 2019, Twitter found that “someone” was using a large network of fake accounts to exploit its API and match user names to phone numbers. This was after security researcher Ibrahim Balic uncovered the bug on Twitter. Balic generated random mobile numbers, input them into Twitter and came out with a list of users who use those mobile numbers. By an estimate, he found 17 million phone numbers to specific Twitter users accounts. He did not report the issue to Twitter but instead, included the phone numbers of high-profile Twitter users – such as politicians and officials – in a WhatsApp group in order to warn people affected directly.
During an investigation, Twitter found other accounts that could have been using the same method to map accounts to mobile numbers, and while the accounts were spread over a large number of geographical locations, it was observed that a large number of these requests were coming from individual IP addresses located within Iran, Israel, and Malaysia. The company suspects that it is possible that some of these IP addresses may have ties to state-sponsored actors, and has decided to make it clear for user caution and as a matter of principle.
The company also reported that anyone who hadn’t turned on the “Let people who have your phone number find you on Twitter” option or did not have a phone number associated with their accounts is safe and was not exposed to this vulnerability,
Lastly, the company said that it has taken steps to fix this vulnerability and has made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Also, the company reported that it has suspended any account it believes to have been exploiting this endpoint.
The company also wrote in the blog post, “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
This is not the only bad information coming from the company’s end. Twitter has surprisingly decided it will allow certain right-wing accounts to spread misinformation about the Iowa Democratic Caucuses, including tweets that suggest the results are being “rigged.”