
Twitter’s mobile app may have some dangerous holes in it. A security researcher has found a flaw in the social media network’s app that allowed him to tie over seventeen million user accounts to their verified phone numbers. Ibrahim Balic noted that, by using the app’s contact upload feature, he could create entire lists of generated phone numbers. If you upload the data, the app fetches the details in response.
Working Around the Obvious Limitations
Twitter’s app stops subsequent uploads of lists of phone numbers for this very reason – to prevent exploits that could use it as a data store for user information. Balic worked around these limitations of the upload system by avoiding the web-based upload system and using the Android app instead. In this case, the system managed to deliver the correct information for over two billion randomly generated phone numbers.
Potentially Sensitive Information
While Twitter accounts and handles are public information, the phone numbers attached to these accounts are the user’s private data. The data recovered from this breach included high-profile individuals, including politicians and government officials in several countries. Balic didn’t inform Twitter of the exploit but instead took the high-profile candidates into a WhatsApp chat to tell them of the severity of their data breach. Twitter did mention a potential problem earlier this week in their blog that might be the same one discovered by Balic. Twitter’s spokesperson commented that the company was working on a method to plug the flaw as soon as possible.
Twitter’s Security Reputation Suffers Another Blow
Social media is notorious for playing fast and loose with user data. In May, Twitter admitted to divulging user location data to a business partner, even after the user had explicitly opted out of the exchange. In November, the company admitted guilt for using phone numbers intended for two-factor authentication to serve ads to users. This latest breach is just another example of Twitter’s lackadaisical approach to securing user data and privacy.