Home Hacking News Twitter Revealed Exploitation of Android App Flaw That Allowed Matching Phone Numbers With User Accounts

Twitter Revealed Exploitation of Android App Flaw That Allowed Matching Phone Numbers With User Accounts

by Abeerah Hashim
Twitter API key leak

Towards the end of 2019, a researcher found a serious flaw in Twitter for Android app. The bug allowed matching random phone numbers with users’ accounts. Now, Twitter has disclosed exploitation of the flaw by some accounts.

Exploitation Of Twitter for Android App Flaw

In December 2019, a researcher found a security flaw in the contacts upload feature of the Twitter for Android app. Exploiting the bug allowed an attacker to match a random list of phone numbers with 17 million user accounts within two months.

Recently, Twitter has not only confirmed the existence of the bug but has also disclosed its exploitation. As stated in their post,

We discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.

This includes real-time potentially malicious exploitation of the flaw beyond the researcher who first reported it. In brief, Twitter found a large number of users in different countries involved in exploiting the bug. However, they found particularly high exploitation from some regions.

We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors.

Twitter Confirmed The Patches

In their notice, they confirmed that the flaw affected accounts who have enabled the “Let people who have your phone number find you on Twitter” option. Whereas, the other accounts remained safe. This feature particularly aimed at assisting new Twitter users in finding their acquaintances on Twitter.

However, following the exploitation of the bug, Twitter made changes to the API endpoint.

After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries.

Moreover, they also suspended accounts they found exploiting the flaw.

Let us know your thoughts in the comments.

You may also like