Is Twitter safe? Bug in Twitter app used to match 17 million phone numbers to user accounts

The latest security flaw comes just days after Twitter fixed another bug that allowed bad-actors to access non-public account information and control accounts to send tweets and direct messages

It seems like there's no end to Twitter's bug and vulnerability problems yet. The microblogging app had just recently advised it Android smartphone users to update their Twitter app following the discovery of a vulnerability in the app which allowed hackers access to users non-public account information and even control their accounts to send out tweets and DMs.

And now, another security flaw seems to have hit Twitter, and this time around too, it's the Android app that's affected. According to a TechCrunch report, a security researcher has managed to match at least 17 million phone numbers to Twitter user accounts by exploiting a vulnerability in Twitter's Android app.

Security flaw in Twitter's contacts upload feature

The security researcher, Ibrahim Balic said that it was possible to upload entire lists of phone numbers through Twitter's contacts upload feature. He says that if you upload your phone number, it fetches user data in return. However, Balic observed that Twitter's contact upload feature would not accept lists of phone numbers in sequential format as a way to prevent the matching, so he generated more than 2 billion phone numbers, one after another and uploaded them randomly through Twitter's Android app to prove his findings.

Twitter relaxes 140-character limit giving more room to tweet
A man reads tweets on his phone in front of a displayed Twitter logo in Bordeaux, southwestern France Reuters

As per the report, Balic matched phone number records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany over a period of two months, but his effort was stopped when Twitter blocked him from doing so on December 2020.

The security researcher also provided a sample of the phone numbers he matched to TechCrunch. And the popular technology blog was able to verify his findings by comparing a random selection of usernames with phone numbers that he provided using Twitter's password reset feature.

Only Android app affected

Balic says that the vulnerability is present only in the upload feature in the Android app and not in Twitter's web-based upload feature. The report further states that Balic did not alert Twitter about the vulnerability, instead he took the phone numbers of many high-profile Twitter users which included politicians and government officials and warned them directly using a WhatsApp group.

Balic is the same person who had identified a security breach that affected Apple's developer center back in 2013.

Unrelated to recently fixed bug

Balic's discovery is not believed to be related to the recent Twitter Android app vulnerability that allowed hackers to see non-public account information and control user accounts to send out tweets, and direct messages. Meanwhile, TechCrunch contacted a Twitter spokesperson who told them that the company was working to ensure this bug cannot be exploited again.

Twitter's response

The spokesperson told TechCrunch: "Upon learning of this bug, we have suspended the accounts used to inappropriately access people's personal information." The spokesperson reiterated that "protecting the privacy and safety" of the people who use Twitter was the company's "number one priority" and that the company is focused on stopping spam and abuse that originate from the use of Twitter.

2019 was a bad year for Twitter in terms of security lapses

This isn't the first security lapse that has affected Twitter in the last year. The company had admitted in May earlier this year, to having shared user location data to one of its partners even in spite of the users choosing not to share the data.

Twitter also admitted to giving its ad partners more user information than it should in August this year. And just last month Twitter confirmed that it used phone numbers provided by users for two-factor authentication for serving targeted ads. It's high time Twitter does something about its security and we hope next year will be a bug-free year for Twitter.

Related topics : Cybersecurity