Latest in Gear

Image credit: bombuscreative via Getty Images

Twitter admits 'bad actors' exploited phone number matching feature

It says the fake accounts it suspended 'may have ties to state-sponsored actors.'
133 Shares
Share
Tweet
Share

Sponsored Links

bombuscreative via Getty Images

Twitter has revealed that it has discovered and suspended accounts abusing a feature that allowed users to match phone numbers with usernames. By announcing the privacy issue, it's also confirming the flaw discovered by security researcher Ibrahim Balic in December 2019. Balic found that Twitter's Android app had a vulnerability that allowed him to match 17 million phone numbers with their respective accounts. While you can look up contacts using their phone numbers on the platform, Twitter says matching a massive amount of numbers with accounts goes "beyond [the feature's] intended use case."

The company says that after suspending the first set of fake accounts exploiting the flaw -- presumably Balic's, who created hundreds of sock puppet accounts for his investigation -- it found more. Those additional accounts were located from a wide range of countries, but most of them were from Iran, Israel and Malaysia, based on the IP addresses Twitter traced.

"It is possible that some of these IP addresses may have ties to state-sponsored actors," its announcement reads. "We are disclosing this out of an abundance of caution and as a matter of principle."

Although the flaw allowed bad actors to look up millions of phone numbers of people they don't know, users who don't have the "Let people who have your phone number find you on Twitter" setting enabled weren't affected. Further, Twitter suspended all the offending accounts it found and modified its API to prevent bad actors from exploiting the number matching feature going forward.

Source: Twitter
In this article: fake accounts, gear, security, Twitter
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
133 Shares
Share
Tweet
Share

Popular on Engadget

The best smart locks

The best smart locks

View
After Math: Stunning figures

After Math: Stunning figures

View
Next version of Chrome brings web AR and NFC to more users

Next version of Chrome brings web AR and NFC to more users

View
Strava now syncs workout data from your Apple Watch

Strava now syncs workout data from your Apple Watch

View
Ring footage might not be very useful for catching criminals

Ring footage might not be very useful for catching criminals

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr