Posted on December 26, 2019 at 11:00 AM
Twitter has come under the radar again, as some hackers recently exploited a vulnerability that matched more than 17 million phone numbers with their users. With this recent development, it doesn’t seem like there will be an end to Twitter’s vulnerability and bug problems.
Following the previous discovery of bug within the app six days ago, Twitter asked its users to update their app as soon as possible.
The vulnerability gave access to private information to hackers. It even allowed the hackers to control some aspects of the users’ accounts to send out DMs and tweets.
Now, there is a second attack that had affected millions of user accounts and phone numbers. This time around, security researchers have discovered that the accounts of 17 million Twitter users were exposed as hackers were able to match their accounts with their phone numbers.
How vulnerability was discovered
Ibrahim Balic, a security researcher, mentioned earlier that the Twitter contact upload feature allowed the addition of the entire list of the phone numbers on the Twitter app. He reported that once the user uploads their phone number, the app automatically produces user data for that phone number.
From Balic’s observation, the contact upload feature of Twitter prevents the listing of phone numbers in sequence. It’s a security check to prevent matching of contacts to phone numbers. To prove his discoveries, he decided to upload the generated phone numbers at random on Twitter’s app.
According to the report, the researcher got records of phone numbers from users in Germany, France, Armenia, Greece, Iran, Turkey, as well as Israel. He tried to match these phone numbers to their respective accounts. He matched a couple of phone numbers for about two months before Twitter blocked him this month from carrying on.
Balic also gave samples of the phone numbers he was able to match for confirmation. Twitter also verified his report by crosschecking the phone numbers with the random selection of usernames the researcher provided. It turned out that the researcher was right.
The vulnerability only on android app
The security researcher pointed out that those using other channels apart from android to access Twitter are not affected. He said the vulnerability does not affect the web-based twitter feature, but only the android feature.
However, Balic did not notify Twitter of his findings. Rather, he reported the vulnerabilities and his findings to some top twitter users by warning them personally via a WhatsApp group. Some of these users include top government officials and politicians.
Balic has been involved in a lot of vulnerability discovering. He has been a very busy security researcher, as he had discovered some vulnerability in the past that has helped to curtail the activities of hackers.
In 2013, Balic was responsible for identifying the heavy vulnerability that affected the developer center at Apple.
Recently fixed vulnerability not related
The current vulnerability that Balic discovered is not believed to have a link with the recent Twitter app vulnerability, which gave hackers control over direct messages and tweets. However, reporters have already alerted a twitter spokesperson, who told them the company is working to fix the bug. Twitter said it’s working to make sure that hackers don’t exploit the vulnerabilities again.
Response from Twitter
The Twitter spokesperson said that the company has already suspended the accounts the hacker used to access the personal information of users illegally. He said that Twitter’s main priority is to protect the safety and privacy of its users. He reiterated the company’s desire to stop any abuse or spam that comes from the use of the Twitter app.
Several security breaches for Twitter this year
When it comes to security breaches, this year has not been particularly favorable to Twitter. Earlier in May, Twitter was accused of sharing user location with its partner without the consent of the affected user. In August, the company also admitted providing more detailed information to its ad partners, which is against the company’s practice.
Twitter said it used the two-facture authentication feature to retrieve user phone numbers for targeted ads. The Twitter community is relying on the company to correct these sets of breaches to prevent future occurrences.