Latest in Gear

Image credit: Guillaume Payen/SOPA Images/LightRocket via Getty Images

Twitter flaw let a researcher match 17 million phone numbers with users (updated)

These included high-profile politicians.
303 Shares
Share
Tweet
Share

Sponsored Links

Guillaume Payen/SOPA Images/LightRocket via Getty Images

Yes, it's another Twitter security issue in the space of just a few days. Security researcher Ibrahim Balic told TechCrunch that Twitter's Android app had a flaw that allowed him to match 17 million phone numbers with their respective user accounts. While Twitter's contact upload feature doesn't allow phone number lists in sequential format, Balic discovered that he could generate phone numbers, randomize them and upload them to Twitter to learn who used a given number.

The users were in countries like France, Greece and Turkey, and some of them were politicians and officials. TechCrunch found a senior Israeli politician, for instance.

Balic didn't notify Twitter, but did warn some users directly. Twitter blocked his effort on December 20th and hasn't publicly acknowledged the flaw so far. We've asked Twitter for comment.

This hasn't been Twitter's best year in terms of security. On top of the two most recent flaws, it accidentally shared location data and acknowledged that phone numbers might have been used for ad targeting. While major damage hasn't ensued from these incidents, it's clear Twitter will have to put in some effort if it's going to reassure users.

Update 12/24 6:25PM ET: Twitter spokeswoman Aly Pavela said the company took reports like this "seriously" and that it was "actively investigating" the bug. It blocked the activity by suspending the accounts used to get people's information. You can read Twitter's full statement below.

To no one's surprise, the company also said that it wasn't thrilled with Balic's approach. In addition to disclosing to a media outlet rather than Twitter, he accomplished the feat using hundreds of fake accounts with over 50 active Android sessions each. Given that Twitter already spends a lot of energy taking down fake accounts, it probably doesn't want any more messes to clean up.

"We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter's APIs. "

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
303 Shares
Share
Tweet
Share

Popular on Engadget

Comcast officially purchases Xumo ad-supported streaming service

Comcast officially purchases Xumo ad-supported streaming service

View
Uber, Lyft may create more CO2 emissions than trips they displace

Uber, Lyft may create more CO2 emissions than trips they displace

View
Grimes details her character's backstory in 'Cyberpunk 2077'

Grimes details her character's backstory in 'Cyberpunk 2077'

View
Disney CEO Bob Iger steps down after getting Disney+ off the ground

Disney CEO Bob Iger steps down after getting Disney+ off the ground

View
Smithsonian opens up 2.8 million images to the public

Smithsonian opens up 2.8 million images to the public

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr