December’s story of the researcher who tricked Twitter’s Android app into matching random phone numbers to 17 million user accounts just took a turn for the worse.
We became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers.
Twitter owes Balic its thanks, because until it was closed this was an easy-to-exploit hole in users’ basic privacy.
The flaw related to Twitter’s contact upload feature, by which users upload their contact book to enable them to connect to other Twitter users whose email or phone number matches the data.
It’s a useful feature with a legitimate purpose that any social media platform would want to encourage – quickly finding people you already know.
Except that Balic discovered that when he uploaded two billion numbers generated in a non-sequential way (to make them appear more like a real contacts list) Twitter would reveal the identity of any matches.
The only limitations were that it only worked when using the Android app (web-based uploads were immune), and only for Twitter users who’d both added their phone numbers to the service and turned on the ‘Let people who have your phone number find you on Twitter’ option.
By the time Twitter suspended his access on 20 December 2019, he’d claimed to have uncovered the numbers of millions of Twitter users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, including one independently confirmed to belong to a senior Israeli politician.
As to who else might have been exploiting the same technique, the company said:
During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors.
What to do
Twitter says it has fixed the issue by stopping account names being returned during searches, and apologized for not thinking of this sooner:
We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.
Users can check whether they’ve entered their phone number into Twitter (for example, to enable SMS two-factor authentication).
Find out if yours is searchable via More > Settings and privacy > Login and security > Discoverability and contacts > untick ‘Let people who have your phone number find you on Twitter’.
This isn’t the first time Twitter’s got into bother over how it uses (or lets others use) data such as phone numbers.
In October, it admitted it had inadvertently allowed advertisers access to phone and email data as part of the company’s Tailored Audiences system designed to feed users promoted tweets to their timelines.
A year earlier was the mini-scandal that third parties had access to supposedly private direct messages.
The lesson is simply this: anything you tell a social media platform might one day become fair game for someone else. If that bothers you, act before someone else does.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.