In a nutshell: Twitter says it’s fixed a bug in its API that made it easy for someone to match a user’s Twitter handle with a phone number, which was discovered last year. The company also revealed that it has detected several attacks using the exploit, which seem to originate from Israel, Malaysia, and Iran — likely the work of state-sponsored actors.
Back in December, security researcher Ibrahim Balic revealed a vulnerability in Twitter’s Android app that allowed him to match millions of public usernames with their phone numbers.
Balic didn’t report this to Twitter, but the company did its own investigation into the issue not long after the report was published. Today, it officially acknowledged the issue and revealed that several attackers had been abusing an API functionality to gain access to users’ personal information.
The feature in question is normally intended as an easy way for you to find friends or colleagues on Twitter using their phone number, provided that they’ve enabled the option in Settings > Privacy and Safety > Discoverability and contacts. If you’re in the EU, you should be safe as the functionality is opt-in there. However, if you live anywhere else it’s actually opt-out and there’s a high chance you didn’t even know it exists.
Twitter says Balic wasn’t the only one that exploited the feature “beyond its intended use case,” as it identified several other accounts being used to perform the same kind of attack. The company didn’t give an exact number, but indicated a lot of these are located in Iran, Malaysia, and Israel, indicating a possible link to state-sponsored actors.
The social giant suspended the accounts and fixed the loophole, so the only thing left for you to do is to review the discoverability settings for your account and disable them if you’d prefer not to be found using your phone number or email address.
It’s worth noting that third party APIs can be an even bigger headache when it comes to vulnerabilities, and Twitter is also known for having misused user data to sell targeted ads in the recent past. That’s why some speculate that Twitter will benefit from CEO Jack Dorsey’s plan on creating a decentralized social media standard.