Twitter flaw may have let spies unmask anonymous users: What to do
Upload a phone number, get a username
Oops. International cyberspies may have abused Twitter's interface to "scrape" the phone numbers of an undisclosed number of Twitter users and link them to existing Twitter accounts, Twitter announced in a blog post yesterday (Feb. 3).
That's no big deal if you use your real name, or are otherwise recognizable, on Twitter. But for people trying to hide their identities on the social network, it could be devastating.
Political dissidents, social activists, anonymous bloggers, whistle-blowers and other people who would rather remain unknown might have their covers blown, with possibly deadly consequences. Intelligence agencies can use mobile-phone numbers to target phones with spyware.
You might want to check your Twitter account now to see whether you've vulnerable to this kind of data scraping. In the Twitter mobile apps or on a desktop browser, go to Settings >> Privacy and safety >> Discoverability and contacts.
If "Let people who have your phone number find you on Twitter" or "Let others find you by your phone" is enabled, uncheck it.
We don't remember enabling this feature, yet it was checked on in all our Twitter accounts. We did give Twitter our phone number for purposes of two-factor authentication.
Fix one problem, find another
Twitter discovered this issue when investigating an incident on Christmas Eve 2019, when white-hat hacker Ibrahim Balic announced that he'd been able to link Twitter users to 17 million phone numbers.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
"During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case," Twitter said in its blog post.
"We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," the unsigned blog post added. "It is possible that some of these IP addresses may have ties to state-sponsored actors" — in other words, intelligence agencies and spies.
Balic's methods were simple: He uploaded randomly generated phone numbers, one by one, from the contacts list on an Android phone. (Twitter says it wouldn't have worked on an iPhone.)
If a number matched that of a Twitter user, the API would return that user's Twitter handle. The "state-sponsored actors" Twitter noticed seem to have been using similar methods.
A no-brainer
The dumb thing is that Twitter should have seen this coming. This is a very simple enumeration attack, in which you simply generate numbers and input it into an API to get sensitive data.
Facebook got into trouble in mid-2018 for letting people search for Facebook members via their phone numbers, which was exploited via enumeration to create lists of otherwise unlisted mobile-phone numbers.
Way back in 2010, a pair of hackers enumerated iPad SIM-card ID numbers to scrape more than 100,000 email addresses from AT&T's website. In 2018, identity-protection company LifeLock fell victim to the same kind of attack.
In yesterday's blog post, Twitter said it had fixed the issue.
"We immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries," Twitter said. "Additionally, we suspended any account we believe to have been exploiting this endpoint."
We've reached to Twitter to ask how many users might have been affected, and whether Twitter has any advice for those who were. We'll update this story when we receive a reply.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.