Twitter suspended an unspecified number of fake accounts that were exploiting its API to match usernames to phone numbers. A “particularly high volume” of such requests came from IP addresses in Iran, Israel and Malaysia. The company further claimed that some of these IP addresses may be linked to state-sponsored actors.
But doesn’t Twitter offer that feature already? Yes, Twitter allows users to link their phone numbers to their accounts, and separately allows them to be searched by it. In this case, the API was exploited “beyond its intended use case”. People who did not opt in to this service were not exposed by this vulnerability.
What has Twitter done? Apart from suspending the fake accounts and any other accounts exploiting this vulnerability, it changed the API so that it “could no longer return specific account names in response to queries”.
When did Twitter learn about it? The company learnt about it on December 24. In December, TechCrunch had reported about this flaw through which a security researcher was able to match 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter’s Android app.
Why is this a problem? As the security researcher had found in December, this API allowed users “to upload entire lists of generated phone numbers” in a randomised manner. This could have resulted in a huge data harvesting operation. TechCrunch had reported that they were able to identify a senior Israeli politician using their matched phone number.