Twitter has suffered another data breach, this time connected to its app for Android. A security researcher was able to discover a bug by uploading millions of phone numbers to Twitter’s Android app and matching them to user accounts. Usually, Twitter does not allow users to upload lists of phone numbers in a sequence, but the researcher found out the way to bypass this feature.
Ibrahim Balic, the researcher, generated lots of mobile phone numbers, sorted them randomly, and uploaded them to the app through the contacts upload feature. Once the user uploads the phone number, Twitter fetches matching data, according to Ibrahim Balic.
The researcher did not report the bug to Twitter directly. Instead, he notified some users about the vulnerability in a specially created WhatsApp group.
In two months, he managed to match phone numbers with accounts that belong to users from such countries such as Israel, Armenia, Germany, Greece, Iran, France, etc. Some of the users were political figures or government officials. On December 20, Twitter blocked Balic’s attempts because he was able to match numbers of influential people all over the world.
A week ago, Twitter warned its users about the need to update their Android apps because of some vulnerability and in order to be secure. However, it’s still unclear whether Twitter meant this particular bug the researcher discovered.
Aly Pavela, the Twitter spokeswoman, said in a statement,
We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter's APIs.
