[BreachExchange] A Twitter app bug was used to match 17 million phone numbers to user accounts

[Destry Winant]

https://techcrunch.com/2019/12/24/twitter-android-bug-phone-numbers/

A security researcher said he has matched 17 million phone numbers to
Twitter  user accounts by exploiting a flaw in Twitter’s Android app.

Ibrahim Balic found that it was possible to upload entire lists of
generated phone numbers through Twitter’s contacts upload feature. “If
you upload your phone number, it fetches user data in return,” he told
TechCrunch.

He said Twitter’s contact upload feature doesn’t accept lists of phone
numbers in sequential format — likely as a way to prevent this kind of
matching. Instead, he generated more than two billion phone numbers,
one after the other, then randomized the numbers, and uploaded them to
Twitter through the Android app. (Balic said the bug did not exist in
the web-based upload feature.)

Over a two-month period, Balic said he matched records from users in
Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said,
but stopped after Twitter blocked the effort on December 20.

Balic provided TechCrunch with a sample of the phone numbers he
matched. Using the site’s password reset feature, we verified his
findings by comparing a random selection of usernames with the phone
numbers that were provided.

In one case, TechCrunch was able to identify a senior Israeli
politician using their matched phone number.

While he did not alert Twitter to the vulnerability, he took many of
the phone numbers of high-profile Twitter users — including
politicians and officials — to a WhatsApp group in an effort to warn
users directly.

It’s not believed Balic’s efforts are related to a Twitter blog post
published this week, which confirmed a bug could have allowed “a bad
actor to see nonpublic account information or to control your
account,” such as tweets, direct messages and location information.

A Twitter spokesperson told TechCrunch the company was working to
“ensure this bug cannot be exploited again.”

“Upon learning of this bug, we suspended the accounts used to
inappropriately access people’s personal information. Protecting the
privacy and safety of the people who use Twitter is our number one
priority and we remain focused on rapidly stopping spam and abuse
originating from use of Twitter’s APIs,” the spokesperson said.

It’s the latest security lapse involving Twitter data in the past
year. In May, Twitter admitted it gave account location data to one of
its partners, even if the user had opted-out of having their data
shared. In August, the company said it inadvertently gave its ad
partners more data than it should have. And just last month, Twitter
confirmed it used phone numbers provided by users for two-factor
authentication for serving targeted ads.

Balic is previously known for identifying a security flaw breach that
affected Apple’s developer center in 2013.