Oops. International cyberspies may have abused Twitter's interface to "scrape" the phone numbers of an undisclosed number of Twitter users and link them to existing Twitter accounts, Twitter announced in a blog post yesterday (Feb. 3).
That's no big deal if you use your real name, or are otherwise recognizable, on Twitter. But for people trying to hide their identities on the social network, it could be devastating.
Political dissidents, social activists, anonymous bloggers, whistle-blowers and other people who would rather remain unknown might have their covers blown, with possibly deadly consequences. Intelligence agencies can use mobile-phone numbers to target phones with spyware.
You might want to check your Twitter account now to see whether you've vulnerable to this kind of data scraping. In the Twitter mobile apps or on a desktop browser, go to Settings >> Privacy and safety >> Discoverability and contacts.
If "Let people who have your phone number find you on Twitter" or "Let others find you by your phone" is enabled, uncheck it.
We don't remember enabling this feature, yet it was checked on in all our Twitter accounts. We did give Twitter our phone number for purposes of two-factor authentication.
Fix one problem, find another
Twitter discovered this issue when investigating an incident on Christmas Eve 2019, when white-hat hacker Ibrahim Balic announced that he'd been able to link Twitter users to 17 million phone numbers.
"During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case," Twitter said in its blog post.
"We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," the unsigned blog post added. "It is possible that some of these IP addresses may have ties to state-sponsored actors" — in other words, intelligence agencies and spies.
Balic's methods were simple: He uploaded randomly generated phone numbers, one by one, from the contacts list on an Android phone. (Twitter says it wouldn't have worked on an iPhone.)
If a number matched that of a Twitter user, the API would return that user's Twitter handle. The "state-sponsored actors" Twitter noticed seem to have been using similar methods.
The dumb thing is that Twitter should have seen this coming. This is a very simple enumeration attack, in which you simply generate numbers and input it into an API to get sensitive data.
Facebook got into trouble in mid-2018 for letting people search for Facebook members via their phone numbers, which was exploited via enumeration to create lists of otherwise unlisted mobile-phone numbers.
Way back in 2010, a pair of hackers enumerated iPad SIM-card ID numbers to scrape more than 100,000 email addresses from AT&T's website. In 2018, identity-protection company LifeLock fell victim to the same kind of attack.
In yesterday's blog post, Twitter said it had fixed the issue.
"We immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries," Twitter said. "Additionally, we suspended any account we believe to have been exploiting this endpoint."
We've reached to Twitter to ask how many users might have been affected, and whether Twitter has any advice for those who were. We'll update this story when we receive a reply.