Twitter Suspends Fake Accounts Abusing Feature that Matches Phone Numbers and UsersTwitter Suspends Fake Accounts Abusing Feature that Matches Phone Numbers and Users
The company believes state-sponsored actors may also be involved.
February 4, 2020
Twitter has disclosed a security incident in which third parties exploited its API to match phone numbers with user accounts. The company has identified and suspended a large network of fake accounts related to the incident and believes state-sponsored actors may also be involved.
The problem came to Twitter's attention on Dec. 24, 2019, when it learned someone was using a network of fake accounts to match usernames with phone numbers – a legitimate feature that, if enabled, helps users find each other on the platform. A security researcher was able to exploit a flaw in Twitter's Android app to match 17 million phone numbers with user accounts.
Following this report, Twitter launched an investigation and discovered more accounts outside the researchers' findings that may have been exploiting the same official API endpoint beyond its intended function. The company identified accounts "located in a wide range of countries" with a high volume of requests coming from individual IP addresses in Iran, Israel, and Malaysia.
"It is possible that some of these IP addresses may have ties to state-sponsored actors," Twitter said in a statement. "We are disclosing this out of an abundance of caution and as a matter of principle." Changes were made to the endpoint so it no longer returns specific account names in response to queries. Accounts believed to have been exploiting the endpoint are suspended.
Twitter account holders who disabled the option for "Let people who have your phone number find you on Twitter" are not exposed to the vulnerability; neither are those who don't have a phone number linked to their account.
Read more details here.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023