Published On: Sun, Feb 23rd, 2020

Twitter suspends ‘large network’ of feign accounts used to compare phone numbers to users

Twitter announced currently that over a holidays it identified and close down “a vast network of feign accounts,” as good as many others “located in a far-reaching operation of countries,” collectively abusing a underline that let them compare phone numbers to user accounts.

TechCrunch formerly reported this same emanate on Dec 24, that is also a day Twitter says that it “became aware” that a abuse was holding place. Security researcher Ibrahim Balic found that a bug in Twitter’s Android app let him contention millions of phone numbers by an central API, that returned any compared user account.

The underline is intended, if we have enabled it, to let friends who have your series demeanour adult your Twitter handle. But apparently submitting millions of numbers goes “beyond a dictated use case.”

If we had incited this underline off, we weren’t influenced by this bug. Fortunately for users in a EU this was opt-in there. But for a rest of a universe it’s opt-out — so if we had a phone series compared with your account, we might have been affected.

Furthermore, a phone numbers embody those supposing for functions of two-factor authentication, so those outward a EU might have been unprotected to this feat but realizing it.

Twitter admits it used two-factor phone numbers and emails for portion targeted ads

It seems that after Twitter was alerted to a emanate and close down a strange network (presumably Balic’s), a investigators identified many some-more accounts that were exploiting this flaw, yet a deputy declined to yield a series or estimate.

“We celebrated a quite high volume of requests entrance from particular IP addresses located within Iran, Israel, and Malaysia,” wrote a association in a confidence bulletin. “It is probable that some of these IP addresses might have ties to state-sponsored actors,” a post continued.

This guess was fit by a regard of unlimited entrance to Twitter from a IPs in Iran, where a height is blocked from ubiquitous entrance — suggesting supervision involvement. Belic, when contacted by TechCrunch, pronounced that his work was not state-sponsored in any way.

Any comment suspected of abusing a underline was suspended, and a API itself has been mutated to forestall any offer exploitation of this type. I’ve asked a association how many accounts were dangling and will refurbish this post if we hear back.

Twitter has had countless incidents where it unprotected or leaked user information over a final year. In further to pity rather too most information with a ad partners, a association certified it used phone numbers used for two-factor authentication to offer targeted ads.

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>