Published On: Tue, Dec 24th, 2019

A Twitter app bug was used to compare 17 million phone numbers to user accounts

A confidence researcher pronounced he has matched 17 million phone numbers to Twitter user accounts by exploiting a smirch in Twitter’s Android app.

Ibrahim Balic found that it was probable to upload whole lists of generated phone numbers by Twitter’s contacts upload feature. “If we upload your phone number, it fetches user information in return,” he told TechCrunch.

He pronounced Twitter’s hit upload underline doesn’t accept lists of phone numbers in consecutive format — expected as a approach to forestall this kind of matching. Instead, he generated some-more than dual billion phone numbers, one after a other, afterwards randomized a numbers, and uploaded them to Twitter by a Android app. (Balic pronounced a bug did not exist in a web-based upload feature.)

Over a two-month period, Balic pronounced he matched annals from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, though stopped after Twitter blocked a bid on Dec 20.

Balic supposing TechCrunch with a representation of a phone numbers he matched. Using a site’s cue reset feature, we accurate his commentary by comparing a pointless preference of usernames with a phone numbers that were provided.

In one case, TechCrunch was means to brand a comparison Israeli politician regulating their matched phone number.

While he did not warning Twitter to a vulnerability, he took many of a phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp organisation in an bid to advise users directly.

It’s not believed Balic’s efforts are associated to a Twitter blog post published this week, that reliable a bug could have authorised “a bad actor to see nonpublic criticism information or to control your account,” such as tweets, approach messages and plcae information.

A Twitter spokesperson, when reached, did not immediately criticism outward of business hours.

It’s a latest confidence relapse involving Twitter information in a past year. In May, Twitter certified it gave criticism plcae information to one of a partners, even if a user had opted-out of carrying their information shared. In August, a association pronounced it inadvertently gave a ad partners some-more information than it should have. And only final month, Twitter reliable it used phone numbers supposing by users for two-factor authentication for portion targeted ads.

Balic is formerly famous for identifying a confidence smirch crack that influenced Apple’s developer core in 2013.

Hackers are swelling Islamic State promotion by hijacking asleep Twitter accounts

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>