Security Experts:

Twitter Suspends Fake Accounts for Exploiting API Vulnerability

Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers.

The social platform initially discovered the issue on December 24, when it suspended a large network of such fake accounts, but revealed the details on the incident only this week, after an investigation that led to the identification of additional accounts engaged in the same illicit activity.

The fake accounts were exploiting a feature meant to help users with newly created accounts find people they might already know on the online platform.

The feature was designed to match phone numbers to those accounts that had previously enabled the “Let people who have your phone number find you on Twitter” option, and which also had a phone number associated to them.

Users who did not enable the option to let others find them on Twitter via the phone number, or those who did not have a phone number associated with their Twitter account, were not exposed to this attack.

This means that those who added a phone number to their accounts for security purposes, such as two-factor authentication (2FA), might have not been impacted. Previously, Twitter admitted to have "inadvertently" used phone numbers and email addresses meant for 2FA for advertising purposes.

In a blog post on Monday, Twitter said the network of fake accounts exploiting its feature was spread across a wide range of countries.

“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” Twitter revealed.

The company also explained that, in addition to suspending all accounts suspected to have abused the feature, it made a series of changes to ensure that the option would no longer return specific account names in response to queries.

“The security vulnerability in question is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies,” Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, told SecurityWeek in an emailed comment. “Twitter’s claims about the involvement of 'IPs of state-sponsored actors' are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”

On December 24, TechCrunch ran a story revealing how security researcher Ibrahim Balic was able to exploit a vulnerability in Twitter for Android and match 17 million phone numbers to usernames. The researcher abused the flaw for two months before Twitter blocked him.

Related: Vulnerability in Twitter App Enabled Hackers to Obtain Information, Control Accounts

Related: Twitter Admits Phone Numbers Meant for Security Used for Ads

Related: Twitter, Facebook Target State-Linked Accounts Made to Manipulate

view counter