December 26, 2019 weblog
Twitter Android app milked for matching phone numbers, accounts
Ibrahim Balic has become a name Twitter will certainly remember. The researcher discovered a flaw in a Twitter Android app that resulted in the sorry gift of matching 17 million phone numbers, when he uploaded them, with accounts.
He was doing this for two months, said reports, before Twitter blocked him on December 20.
Such matches were made in Israel, Turkey, Iran, Greece, Armenia and Germany. Some of the accounts were of government officials, said reports.
Zack Whittaker, security editor, at TechCrunch, had the much-quoted story of the researcher's phone number-account exploit. Specifically, wrote Whittaker, Balic "generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)"
Bill Toulas in TechNadu similarly pointed out that Twitter had a block in place preventing uploading lists of numbers in a sequential format, in anticipation that abuse was possible, but uploading "humongous lists" through the Android app was "still perfectly doable."
TechCrunch, in fact, wanted to see for itself if Balic's experience could pan out for them too. Whittaker reported the in-house results. "Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number."
This would not be the first time security watchers heard of Balic, who was previously known for identifying a security flaw breach in 2013 that affected Apple's developer center.
Stacy Liberatore in the Daily Mail said that "Although Balic did not alert Twitter to the bug, he took it upon himself to let high-profile users know about it via WhatsApp.
Jon Fingas in Engadget, meanwhile, reported that company spokesperson Aly Pavela said the company was investigating the bug. "It blocked the activity by suspending the accounts used to get people's information," Fingas said.
He showed Twitter's statement in response:
"We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter's APIs. "
Toulas, TechNadu, reported on how things stood by Wednesday. "As a spokesperson of the platform stated, they will now take care of the API gaps that allow this kind of abuse."
Meanwhile, the news of the match-ups drew reader responses in Engadget that are informative too. They show that not everyone reacts the same to headlines about data breaches and contact reveals. The reactions run a gamut of those hardened by all this but say if you have nothing to hide then just chill, your phone number is not the end of the world, to those who say no, it actually is a big deal, in the digital age.
A sample among the disgusted: "Ugh, never trust these companies with your number/" and another, "I'm not dumb enough to include my phone number with a social networking website. Any site which requires a phone number for account creation isn't worth my time."
No-Big-Deal comment: "Sounds just awful...oh right remember for decades when we had these crazy things called phone books that had not only your phone number but also home address in them? The horror."
Counter-comment: "It's not about the information on a per-person basis, but how the information can be abused far and wide across hundreds, thousands and millions of people around the world quickly and cheaply."
© 2019 Science X Network