It seems 2019 was a year of data breach cases for Twitter because even while ending the year, yet another case of data breach came into limelight with Twitter.
A security researcher Ibrahim Balic claimed that he managed to match 17 million phone numbers with user accounts that include high-profile officials, personalities & politicians. This was done by exploiting a bug on the Twitter app.
TechCrunch reported that Balic found out that he could upload entire lists of phone numbers that he generated with the help of Twitter’s contacts upload feature.
On this Balic quoted, “If you upload your phone number, it fetches user data in return.” He could match numbers to users in France, Germany, Israel, Iran, Turkey, Armenia & Greece over a period of two months.
In one of the cases, a senior Israeli politician was also identified using one of the matched phone numbers.
Balic directly alerted the users by creating a WhatsApp group, but Twitter found out about the issue & soon blocked his efforts on the app on December 20. He generated over 17 million phone numbers & put them in random order to upload on Twitter through the Android app since Twitter’s contacts upload feature did not allow him to access the list of the numbers in a sequential format.
The web-based upload feature, however, did not have any bug. Earlier than this case, Twitter had admitted that a bad actor had inserted a malicious code into its app that could have taken advantage of& made illegal use of information of Android users worldwide. However, it is not confirmed whether Balic’s efforts are related to this case of Twitter in any manner. It could have also allowed the bad actor to use, see & control the non-public account information or send tweets or direct messages.
In the recent past, Twitter had faced many vulnerabilities on its app. In February it had exposed private tweets of Android users for more than 5 years when changes were made in their settings like changing their email address which is linked to their accounts. In the month of May, Twitter revealed a bug which shared iOS user’s data with an unnamed partner. This affected Twitter’s iOS user base.
Previously, Twitter had also discovered a bug that stored passwords in their internal system in the form of plain text.
The company takes these issues seriously & is also investigating on this matter to ensure that this bug doesn’t get exploited again, according to a spokesperson from Twitter.