- Joined
- May 15, 2016
- Messages
- 10,422
- Likes
- 2,620
- Points
- 1,730
Twitter reported an unpleasant incident: third parties abused its official API to match the phone numbers of users with their Twitter names.
The company's specialists became aware of the abuses on December 24, 2019. Interestingly, Twitter engineers only learned about what happened after the publication of TechCrunch, which described how an IB expert used the Twitter API to map 17,000,000 phone numbers to public usernames.
After publishing this note, Twitter immediately suspended the large network of fake accounts that were used to send API requests. An investigation conducted after this revealed additional evidence that the bug in the API was used not only by the mentioned information security expert, but also by other third parties. Who exactly these third parties were yet to be disclosed, but it is known that some IP addresses from which they tried to abuse the API functions could be associated with government hack groups. So, basically the requests came from Iran, Israel and Malaysia.
The bug in the API was related to a legitimate feature that allows new users to find friends on Twitter. The problem allowed adding phone numbers and matching them with well-known Twitter accounts. As a result, the attacks did not affect all users, but only those who turned on the option in the settings allowing other users to find themselves by phone number.
Currently, the problem has already been fixed, and specific account names cannot be received in response to such a request.
The company's specialists became aware of the abuses on December 24, 2019. Interestingly, Twitter engineers only learned about what happened after the publication of TechCrunch, which described how an IB expert used the Twitter API to map 17,000,000 phone numbers to public usernames.
After publishing this note, Twitter immediately suspended the large network of fake accounts that were used to send API requests. An investigation conducted after this revealed additional evidence that the bug in the API was used not only by the mentioned information security expert, but also by other third parties. Who exactly these third parties were yet to be disclosed, but it is known that some IP addresses from which they tried to abuse the API functions could be associated with government hack groups. So, basically the requests came from Iran, Israel and Malaysia.
The bug in the API was related to a legitimate feature that allows new users to find friends on Twitter. The problem allowed adding phone numbers and matching them with well-known Twitter accounts. As a result, the attacks did not affect all users, but only those who turned on the option in the settings allowing other users to find themselves by phone number.
Currently, the problem has already been fixed, and specific account names cannot be received in response to such a request.