While investigating an information disclosure flaw affecting one of its support forms, Twitter discovered a possible attack coming from IP addresses that may be linked to state-sponsored actors.
Last month, Twitter became aware of a bug related to a support form that allows users to contact Twitter if they have issues with their account. The vulnerability could have been exploited to obtain the country code of a user’s phone number – if they had one associated with their account – and learn whether or not the account had been locked by Twitter.
Twitter locks accounts if they violate its rules or terms of service, or if the account appears to have been compromised.
The social media giant pointed out that the flaw did not expose full phone numbers or other personal information. Twitter started addressing the issue on November 15 and a fix was implemented by the next day.
While investigating the security bug, the company noticed unusual activity involving the API associated with the impacted customer support form.
“Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia,” Twitter said. “While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.”
Twitter has not provided any additional information or clarifications regarding this activity and it’s unclear if the individuals who targeted the API also exploited the information disclosure flaw.
The company did link to a previous blog post where it shared an update on its investigation into foreign interference in political conversations. At the time, it released full archives of tweets and media from accounts that may have been part of Russian and Iranian state-sponsored operations.
Several information disclosure issues have been identified in Twitter in the past months. In May, the company advised customers to change their passwords after a bug caused passwords to be stored in log files in clear text.
In September, it patched a bug that may have caused direct messages to be sent to third-party developers other than the ones users interacted with. The problem existed for well over a year and it impacted as many as 3 million users.
Last week, a researcher reported getting a bug bounty of nearly $3,000 from Twitter for a flaw that allowed some applications to obtain more permissions than they claimed.