Sponsored Links

Twitter flaw let a researcher match 17 million phone numbers with users (updated)

These included high-profile politicians.
Guillaume Payen/SOPA Images/LightRocket via Getty Images
Guillaume Payen/SOPA Images/LightRocket via Getty Images
Jon Fingas
Jon Fingas|@jonfingas|December 24, 2019 1:09 PM

Yes, it's another Twitter security issue in the space of just a few days. Security researcher Ibrahim Balic told TechCrunch that Twitter's Android app had a flaw that allowed him to match 17 million phone numbers with their respective user accounts. While Twitter's contact upload feature doesn't allow phone number lists in sequential format, Balic discovered that he could generate phone numbers, randomize them and upload them to Twitter to learn who used a given number.

The users were in countries like France, Greece and Turkey, and some of them were politicians and officials. TechCrunch found a senior Israeli politician, for instance.

Balic didn't notify Twitter, but did warn some users directly. Twitter blocked his effort on December 20th and hasn't publicly acknowledged the flaw so far. We've asked Twitter for comment.

This hasn't been Twitter's best year in terms of security. On top of the two most recent flaws, it accidentally shared location data and acknowledged that phone numbers might have been used for ad targeting. While major damage hasn't ensued from these incidents, it's clear Twitter will have to put in some effort if it's going to reassure users.

Update 12/24 6:25PM ET: Twitter spokeswoman Aly Pavela said the company took reports like this "seriously" and that it was "actively investigating" the bug. It blocked the activity by suspending the accounts used to get people's information. You can read Twitter's full statement below.

To no one's surprise, the company also said that it wasn't thrilled with Balic's approach. In addition to disclosing to a media outlet rather than Twitter, he accomplished the feat using hundreds of fake accounts with over 50 active Android sessions each. Given that Twitter already spends a lot of energy taking down fake accounts, it probably doesn't want any more messes to clean up.

"We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter's APIs. "

Twitter flaw let a researcher match 17 million phone numbers with users (updated)