Twitter Bug Used to Match Millions of User Phone Numbers
upstart writes in with an IRC submission for SoyCow1337:
Twitter bug used to match millions of user phone numbers - TechCrunch:
A security researcher said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter's Android app.
Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter's contacts upload feature. "If you upload your phone number, it fetches user data in return," he told TechCrunch.
He said Twitter's contact upload feature doesn't accept lists of phone numbers in sequential format - likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)
Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20.
Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided.
In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number.
While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users - including politicians and officials - to a WhatsApp group in an effort to warn users directly.
Read more of this story at SoylentNews.