A safety researcher said he had equaled 17 million phone numbers to Twitter user accounts by exploiting a defect in Twitter’s Android app.
Ibrahim Balic saw that it was feasible to upload complete lists of created phone numbers by Twitter’s contacts upload feature.
He said that if you upload your phone number, it gets user data in return.
How Ibrahim Balic Found The Glitch
He stated that Twitter’s contact upload feature does not take lists of phone numbers in the following format — likely as a method to stop this kind of matching.
Instead, he created more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter by the Android app.
Balic said the glitch did not exist in the web-based upload feature.
Across two months, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France, and Germany, he said, but ended after Twitter barred the effort on December 20.
Balic gave a sample of the phone numbers he matched.
Utilizing the site’s password reset feature, we checked his findings by linking a random selection of usernames with the phone numbers that were given.
In one case, TechCrunch was capable of recognizing a senior Israeli politician utilizing their matched phone number.
While he did not inform Twitter to the vulnerability, he used many of the phone numbers of high-profile Twitter users — involving politicians and officials — to a WhatsApp group in an attempt to notify users directly.
Twitter’s Take On The Matter
A Twitter spokesperson said that the company was striving to “assure this bug cannot be used again.”
Upon hearing of this bug, they excluded the accounts used to obtain people’s personal information inappropriately.
It is the most advanced security error, including Twitter data in the previous year.
In May, Twitter confirmed that it gave account area data to one of its partners, despite if the user had opted-out of having their data shared.
In August, the company stated that it accidentally gave its ad partners more information than it should have.
And only last month, Twitter verified that it used phone numbers given by users for two-factor authentication for helping targeted ads.
Balic is earlier known for recognizing a safety flaw breach that attacked Apple’s developer center in 2013.
For more updates and the latest tech news, keep reading iTMunch.