Twitter API abused to match of usernames to phone numbers – Security

Point out-sponsored risk actors are thought to have exploited social network Twitter’s software programming interface (API) to match usernames to cellular phone figures.

Twitter discovered an unnamed actor using a significant network of pretend accounts for the assault on Xmas Eve final year.

The pretend accounts have been suspended, and Twitter claimed they were found in a broad vary of countries.

Even so, Twitter’s stability staffers recognized that a specifically large volume of API requests arrived from internet protocol addresses found inside of Israel, Iran and Malaysia.

These IP addresses might have ties to condition sponsored actors, Twitter claimed.

The social network did not say how a lot of pretend accounts were employed for the assault, or how a lot of buyers were targetted.

TechCrunch reported that a researcher, Ibrahim Balic, was able to add lists with around two billion cellular phone figures he experienced generated, and ordered randomly, to Twitter thanks to a flaw in the social network’s Android app.

Balic was able to match 17 million cellular phone figures to user accounts around a period of two months right until Twitter blocked the API queries on December twenty.

The researcher did not alert Twitter to the vulnerability, but employed the cellular phone figures of large-profile buyers these types of as politicians and govt officials and established up a WhatsApp group to alert them straight.

Twitter claimed the API endpoint can make it less difficult for new account holders to discover people they could presently know who are on the social network.

The API queries only worked from accounts that experienced the “Let people who have your cellular phone selection discover you on Twitter” enabled. Also, the accounts essential to have a cellular phone selection linked with them, which Twitter employed to call for of buyers when it started off off as an SMS-based assistance.

Which is when it is employed as intended exploiting the API to match usernames to cellular phone figures was “beyond its intended use case” Twitter claimed.

It is no for a longer period doable to question the API and have it return the username linked with a cellular phone selection.

Twitter apologised for the facts leak but has not claimed it will get in touch with individuals impacted by it.