A security researcher named Ibrahim Balic has managed to match 17 million phone numbers with Twitter user accounts through the exploitation of the Android app of the social media platform. More specifically, Balic has discovered that it’s possible to get the platform to disclose user data as long as a matching phone number is uploaded onto the app. As this uploading can be done in massive numbers, one could possibly feed the app with millions of phone numbers sourced from elsewhere or even generated, and get their match in return.
Twitter has a block in place that prevents the uploading of lists of numbers in a sequential format, so it’s engineers already anticipated the possibility of abuse. However, uploading humongous lists through the Android app is still perfectly doable. Thus, the researcher has spent two months generating random numbers and finding matches around the world. He generated more than two billion phone numbers and found 17 million matches in Israel, France, Germany, Greece, Turkey, Iran, and Armenia. At some point, Twitter detected this activity and blocked him. As a spokesperson of the platform stated, they will now take care of the API gaps that allow this kind of abuse. It is clarified that this story is not related to Twitter’s recent blog post about problems with its Android app. This is an entirely different case of the privacy breach.
The researcher decided not to inform Twitter about the problem, and just take it as far as it would go. Having matched phone numbers with high profile politicians and country officials, he has surely made a statement. He did try to alert some of these VIP individuals though by creating a WhatsApp group and informing them about the privacy problem they now had. The main consequence that the matched profiles could face due to this bug would be to lay the ground for 2FA bypassing through SIM swapping. This is something that Twitter’s highest-profile user suffered from, and which has led the platform to seek more secure ways to implement their 2FA system. After all, the platform itself has blundered recently by sharing user emails and phone numbers with advertisers, so this card is burned anyway.
Do you have anything to comment on the above? Feel free to share your thoughts with us in the section down below, or on our socials, on Facebook and Twitter.