In yet another data breach on Twitter, a security researcher matched 17 million phone numbers to user accounts, including high-profile politicians and officials by exploiting a flaw in the social media’s Android app. This adds to the woes of the platform which has already gone through a bad year on security.
Security researcher Ibrahim Balic told TechCrunch that he uploaded entire lists of generated phone numbers through Twitter’s contact upload feature. He said Twitter’s contact upload feature doesn’t accept lists of phone numbers in a sequential format so he generated more than 2 billion phone numbers, randomized them and uploaded it to Twitter through the Android app.
“If you upload your phone number, it fetches user data in return,” Balic said in a statement. He matched phone numbers from users in Israel, Turkey, Greece, Armenia, France, and Germany. Over the two-month period, Balic began alerting users directly and his efforts were stopped after Twitter blocked his effort on December 20.
TechCrunch verified Balic’s claim by comparing a random selection of user names with the phone number he provided. Not only they matched, it included some important ones like a senior Israeli politician. Balic even took many of the phone numbers of high-profile Twitter users to a WhatsApp group to warn users directly. A Twitter spokesperson said that the company takes these reports seriously and are actively investigating to ensure the vulnerability can’t be exploited again.
This is not the first time Balic found a vulnerability in the tech world. He is known for identifying a security flaw breach in Apple’s developer center in 2013. As for Twitter, it has faced several vulnerabilities on its platform in the recent past. Last year, the platform alerted all users to change their password after it was discovered that it stored passwords in plain text in an internal system.