Twitter Warns ‘State-Sponsored Actors’ Accessed Phone Numbers

Twitter has revealed the results of an investigation and warned that it had discovered attempts by ‘state-sponsored actors’ to access the phone numbers associated with user accounts.

It comes after security researcher Ibrahim Balic warned in December of a flaw in Twitter’s “contacts upload” feature of its Android app. Balic reportedly exploited the flaw to match 17 million phone numbers to specific Twitter user accounts.

In October last year, Twitter admitted that it had unintentionally misused user’s personal data for advertising purposes. It had used the email addresses and phone numbers that users supply to Twitter for security purposes, namely for two-factor authentication.

State hack?

But in a post on its privacy blog, Twitter admitted that it had discovered attempts by possible state actors to access the phone numbers associated with user accounts, using the same approach that Balic had found.

“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers,” blogged Twitter. “We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.”

“While we identified accounts located in a wide range of countries engaging in these behaviours, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” it said. “It is possible that some of these IP addresses may have ties to state-sponsored actors.”

Twitter said that the flaw affected those Twitter accounts for people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.

“People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” it said.

“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries,” said Twitter. “Additionally, we suspended any account we believe to have been exploiting this endpoint.”

Very sorry

“We’re very sorry this happened,” it said. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

A company spokeswoman speaking to Reuters, declined to say how many user phone numbers had been exposed, saying Twitter was unable to identify all of the accounts that may have been impacted.

She reportedly said Twitter suspected a possible connection to state-backed actors because the attackers in Iran appeared to have had unrestricted access to Twitter, even though the network is banned there.

Security experts were quick to highlight how bug bounty programs may not work when trying to located weaknesses in APIs.

“Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security,” said Ilia Kolochenko, founder & CEO of security company ImmuniWeb.

“Their complexity and obscurity hinder security testing with traditional tools and automated scanners, and many dangerous security flaws remain undetected,” said Kolochenko.

“Often they are riddled with a full spectrum of OWASP API Security Top 10 issues, some of which are intricately intertwined and require chained exploitations,” said Kolochenko. “It seems that Twitter’s bug bounty has been futile when detecting the vulnerability in a timely manner.”

“The security vulnerability in question is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies,” said Kolochenko. “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”

How well do you know Twitter? Try our quiz!