Access Management , Breach Notification , Cybercrime
Twitter Warns API Flaw Abuse May Have Unmasked Users'State-Sponsored Actors' Might Be Behind Move to Map Phone Numbers to Accounts
A Twitter API could have enabled outsiders to match users' phone numbers to their corresponding accounts and potentially unmask anonymous users of the social media site.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Twitter says the flaw has now been fixed, but not before at least one large-scale effort exploited it. Any resulting impact on users remains unclear.
The problem was first reported by TechCrunch on Dec. 24, 2019. Researcher Ibrahim Balic found that Twitter's API for Android would accept mass numbers of phone numbers through its contacts upload feature.
Over two months, Balic matched 17 million phone numbers to users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, TechCrunch reported.
Suspicious Activity From 'Iran, Israel and Malaysia'
On Monday, Twitter said it became aware of activity on Dec. 24, 2019, involving someone using a large network of bogus accounts to exploit the API.
Balic, however, apparently wasn't the only one to have found the enumeration flaw. In fact, it may have also been abused by state-sponsored actors, Twitter says.
"During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case," Twitter says. "While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle."
Intended Functionality: Finding Friends
The API is intended to help a new Twitter user more easily locate any friends they already have in their phone contacts list. It works for people who have supplied Twitter with a phone number and who have also enabled a setting that gives Twitter permission to do that kind of matching.
"People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter says.
Still, many users who wanted better account security have likely given their phone numbers to Twitter. Until November 2019, Twitter required users to supply a phone number in order to use two-step verification. That was still required even if someone opted to use a code-generating app (see: Twitter No Longer Wants a Phone Number for 2FA).
"It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle."
Enabling two-step verification requires users to supply a time-sensitive, six-digit code in addition to their credentials to access an account. The code requirement thwarts account takeover attempts if authentication details have been compromised.
Twitter expanded its two-step verification program in 2017 by allowing the use out-of-band code generators, such as Google Authenticator, Authy and Duo Mobile. Moving to code generators is a good defense against SIM-swapping attacks, in which attackers take over a victim's phone number to obtain a two-step code sent over SMS. Victims of such attacks have included Twitter co-founder Jack Dorsey (see: Hey Jack, How Was Your Account Hacked?).
Risk to Users
Thanks to the changes Twitter made in November 2019, users can now remove their phone number from their account settings if they have already set up an out-of-band code generator. But the API vulnerability could still have had an impact on users who run anonymous Twitter accounts.
Before the changes, if someone had supplied their phone number for two-step verification but forgot to untick the setting that allowed Twitter to hunt for other users, an attacker could figure out which account was connected to the number. If the attacker could ascertain the identity of the person who held the phone number, then they could unmask the owner of the Twitter account.
That's a very specific risk scenario, but it's the type that state-sponsored actors - perhaps seeking to unmask a popular Twitter account critical of the government - might undertake (see: Feds Allege Saudi Spies Infiltrated Twitter).
Twitter has apologized for the flaw. "Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on stopping abuse of Twitter's API as quickly as possible," it says.
Executive Editor Mathew Schwartz contributed to this story.