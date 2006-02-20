from the when-two-factor-authentication-may-not-be-such-a-good-idea dept.
In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.
That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.
The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.
It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”
Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.
(Score: 3, Touché) by Runaway1956 on Thursday February 06, @06:52AM (1 child)
As is often the case, there is a simple solution. Don't store phone numbers. Better yet, don't ask for phone numbers. They aren't essential to what Twitter is, or what Twitter does. My phone number is none of Twitter's business. I'll not input my phone number into any social media. I don't even give my phone number to people who ask for it. Pizza place, auto parts store, Farmer's coop, none of them need my phone number to make a sale.
Data that you don't collect can't be compromised. It's really that simple.
“The more corrupt the state, the more numerous the laws.” ― Tacitus, The Annals of Imperial Rome
(Score: 2) by coolgopher on Thursday February 06, @07:38AM
But but... SMS 2-factor authentication security [theverge.com]!!!11!eleven
(Score: 2, Informative) by fustakrakich on Thursday February 06, @07:26AM
Only the Iranian one, right? All those other ones are "friends"! And please, show us the IPs weren't spoofed!
Shouldn't the "Messages" tab/button go here [soylentnews.org]?
(Score: 2) by aristarchus on Thursday February 06, @07:43AM
I will go first, after Runaway, of course, who has already spilled his personal data all across the intertubes (things I wish I did not know!):
So, my phone number is: 1-30-2273-123-4567
Feel free to call me and not be answered, since most of the calls I get are telemarketers, pollsters, perverts, and Republicans asking for money.
*Sulla*: "Agree with me or die"