Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Twitter Says Someone Tried to Discover the Phone Numbers Used by Potentially Millions of Subscribers

posted by martyb on Thursday February 06 2020, @06:33AM   Printer-friendly
from the when-two-factor-authentication-may-not-be-such-a-good-idea dept.

Arthur T Knackerbracket has found the following story:

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Twitter Says Someone Tried to Discover the Phone Numbers Used by Potentially Millions of Subscribers | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by fustakrakich on Thursday February 06 2020, @07:26AM (2 children)

    by fustakrakich (6150) on Thursday February 06 2020, @07:26AM (#954674) Journal

    Only the Iranian one, right? All those other ones are "friends"! And please, show us the IPs weren't spoofed!

    --
    La politica e i criminali sono la stessa cosa..
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 1) by Ethanol-fueled on Friday February 07 2020, @01:13AM (1 child)

    by Ethanol-fueled (2792) on Friday February 07 2020, @01:13AM (#954954) Homepage

    Well at least somebody finally and publicly mentioned Israel. It's a baby step in the right direction considering that they are "those who shall not be named" and perhaps the biggest multi-pronged meddler in American politics and other affairs.

    • (Score: 1) by fustakrakich on Friday February 07 2020, @01:37AM

      by fustakrakich (6150) on Friday February 07 2020, @01:37AM (#954974) Journal

      Israel, Saudi Arabia, republicans, democrats, they can all shoot up 5th Avenue, and no one will say shit.

      All hail the Republic of Catatonia!

      --
      La politica e i criminali sono la stessa cosa..