Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Twitter Suspends Fake Accounts for Exploiting API Vulnerability

Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers.

Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers.

The social platform initially discovered the issue on December 24, when it suspended a large network of such fake accounts, but revealed the details on the incident only this week, after an investigation that led to the identification of additional accounts engaged in the same illicit activity.

The fake accounts were exploiting a feature meant to help users with newly created accounts find people they might already know on the online platform.

The feature was designed to match phone numbers to those accounts that had previously enabled the “Let people who have your phone number find you on Twitter” option, and which also had a phone number associated to them.

Users who did not enable the option to let others find them on Twitter via the phone number, or those who did not have a phone number associated with their Twitter account, were not exposed to this attack.

This means that those who added a phone number to their accounts for security purposes, such as two-factor authentication (2FA), might have not been impacted. Previously, Twitter admitted to have “inadvertently” used phone numbers and email addresses meant for 2FA for advertising purposes.

In a blog post on Monday, Twitter said the network of fake accounts exploiting its feature was spread across a wide range of countries.

“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” Twitter revealed.

Advertisement. Scroll to continue reading.

The company also explained that, in addition to suspending all accounts suspected to have abused the feature, it made a series of changes to ensure that the option would no longer return specific account names in response to queries.

“The security vulnerability in question is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, told SecurityWeek in an emailed comment. “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”

On December 24, TechCrunch ran a story revealing how security researcher Ibrahim Balic was able to exploit a vulnerability in Twitter for Android and match 17 million phone numbers to usernames. The researcher abused the flaw for two months before Twitter blocked him.

Related: Vulnerability in Twitter App Enabled Hackers to Obtain Information, Control Accounts

Related: Twitter Admits Phone Numbers Meant for Security Used for Ads

Related: Twitter, Facebook Target State-Linked Accounts Made to Manipulate

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...