Home Hacking News Twitter For Android App Bug Allowed Matching 17 Million Twitter Accounts With Phone Numbers

Twitter For Android App Bug Allowed Matching 17 Million Twitter Accounts With Phone Numbers

by Abeerah Hashim
Twitter API key leak

Twitter for Android app had another bug that exposed users’ phone numbers. By exploiting the vulnerability, a researcher succeeded in matching 17 million phone numbers with Twitter accounts.

Twitter For Android App Bug

Reportedly, researcher Ibrahim Balic discovered a bug in the Twitter for Android app. As per his findings, the bug allowed matching users’ phone numbers without hassle.

Sharing the details with TechCrunch, the researcher revealed,

If you upload your phone number, it fetches user data in return.

The bug existed with Twitter’s contacts upload feature that accepted entire lists of phone numbers. Though the feature didn’t allow lists in a sequential format, it did accept random ones.

Hence, to test the bug the researcher generated a random list of two billion phone numbers. He then uploaded them to Twitter via the Android app.

Consequently, he could match 17 million phone numbers in a period of two months. Whereas, the affected users predominantly belonged to Israel, Greece, Armenia, Iran, Turkey, Germany and France.

Twitter Addressed The Matter

Instead of informing Twitter, the researcher went on to directly alert users by sharing some high-profile numbers in a WhatsApp group. While the researcher continued matching users’ phone numbers, Twitter eventually blocked the procedure on December 20, 2019. According to a Twitter spokesperson’s statement to TechCrunch,

Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs.

Recently, Twitter has also disclosed a vulnerability that allowed an attacker to take control of users’ accounts. While both the reports surfaced online one after another, it seems unlikely that the two are related. Rather, considering the nature and exploitation of the bugs, the two actually appear distinct.

Let us know your thoughts in the comments.

You may also like