Latest in Gear

Image credit: Guillaume Payen/SOPA Images/LightRocket via Getty Images

Twitter flaw let a researcher match 17 million phone numbers with users (updated)

These included high-profile politicians.
303 Shares
Share
Tweet
Share

Sponsored Links

Guillaume Payen/SOPA Images/LightRocket via Getty Images

Yes, it's another Twitter security issue in the space of just a few days. Security researcher Ibrahim Balic told TechCrunch that Twitter's Android app had a flaw that allowed him to match 17 million phone numbers with their respective user accounts. While Twitter's contact upload feature doesn't allow phone number lists in sequential format, Balic discovered that he could generate phone numbers, randomize them and upload them to Twitter to learn who used a given number.

The users were in countries like France, Greece and Turkey, and some of them were politicians and officials. TechCrunch found a senior Israeli politician, for instance.

Balic didn't notify Twitter, but did warn some users directly. Twitter blocked his effort on December 20th and hasn't publicly acknowledged the flaw so far. We've asked Twitter for comment.

This hasn't been Twitter's best year in terms of security. On top of the two most recent flaws, it accidentally shared location data and acknowledged that phone numbers might have been used for ad targeting. While major damage hasn't ensued from these incidents, it's clear Twitter will have to put in some effort if it's going to reassure users.

Update 12/24 6:25PM ET: Twitter spokeswoman Aly Pavela said the company took reports like this "seriously" and that it was "actively investigating" the bug. It blocked the activity by suspending the accounts used to get people's information. You can read Twitter's full statement below.

To no one's surprise, the company also said that it wasn't thrilled with Balic's approach. In addition to disclosing to a media outlet rather than Twitter, he accomplished the feat using hundreds of fake accounts with over 50 active Android sessions each. Given that Twitter already spends a lot of energy taking down fake accounts, it probably doesn't want any more messes to clean up.

"We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter's APIs. "

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
303 Shares
Share
Tweet
Share

Popular on Engadget

LG brings a 48-megapixel camera to its budget K-series smartphone

LG brings a 48-megapixel camera to its budget K-series smartphone

View
Cadillac will unveil its first all-electric vehicle in April

Cadillac will unveil its first all-electric vehicle in April

View
Now 'League of Legends' star Faker is a part-owner of his esports team

Now 'League of Legends' star Faker is a part-owner of his esports team

View
What's on TV this week: 'Star Wars: The Clone Wars'

What's on TV this week: 'Star Wars: The Clone Wars'

View
'Assassin's Creed: Syndicate' will be free on Epic's game store this week

'Assassin's Creed: Syndicate' will be free on Epic's game store this week

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr