Twitter has recently identified and closed down a vast network of fake accounts worldwide that collectively abuses a function that allows them to match mobile numbers to user accounts. TechCrunch previously said this same problem on December 24, 2019, which is likewise the day Twitter says that it "has become aware" that the abuse was taking place.
Security Researcher Discovered Bug on Twitter App
Security researcher Ibrahim Balic discovered a bug in Android's Twitter app. What Balic found made him submit thousands and thousands of smartphone numbers through an official API, which returned any associated user account.
We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo — Twitter Support (@TwitterSupport) February 3, 2020
The feature - if enabled - would allow your friends to search your Twitter handle through your mobile number. However, submitting tens of millions of numbers goes "beyond its supposed use case."
Users who have turned off the feature are not affected by the bug. The phone numbers furthermore include those enrolled for purposes of two-factor authentication. Hence, the users who used Twitter's feature might have been vulnerable to this exploit without knowing it.
ALSO READ: Twitter acknowledges 23 million active users are actually bots
Several Twitter Users Took Advantage of the Bug, Investigator Says
Twitter's investigators identified more accounts that had been exploiting the bug when the microblogging and social networking service was alerted to the issue. However, a representative refused to provide the figures.
In a security bulletin, Twitter has observed a specifically disproportionate amount of requests coming from individual IP addresses located in Iran, Israel, and Malaysia. "A number of these IP addresses might also have ties to state-sponsored actors," the bulletin continued.
Any account suspected of abusing the feature becomes suspended. The API itself has been altered to prevent any further exploitation of this feature.
ALSO READ: Twitter Tested New Feature That Suggested Accounts To Unfollow: Here's The Reason Behind It
Twitter Admits Taking Advantage of Two-Factor Phone Numbers, Emails for Serving Targeted Ads
Twitter has had several incidents where it uncovered or leaked user records over 2019. The organization, however, admitted it used mobile numbers provided by Twitter netizens for the two-way authentication to serve focused ads. The social media giant said it did not know how many users were affected. Twitter admitted its targeted ad was "an error" and apologized.
The challenge stemmed from the corporation's tailor-made audiences program. The scheme allows the agencies to target classified ads to their own advertising and marketing lists through the user's mobile numbers and email addresses. After advertisers uploaded their advertising lists, it matched Twitter customers to the details that users submitted to set up two-way authentication on their account.
Two-way authentication is an essential security feature that makes it more challenging for hackers to hack into personal accounts. Although a few use their cellphone change as a way to acquire two-way codes, it's a method that has long been prone to interception and SIM swapping attacks. Users were urged to transfer to Twitter's authenticator-based two-way verification.
In 2018, the organization admitted to storing passwords in plain text, which disclosed a mobile number leak bug despite understanding approximately it for two years. It confirmed a location statistics leak in May.
ALSO READ: There Might Soon Be A 'Hide Tweet' Option On Twitter
