Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Twitter Says Someone Tried to Discover the Phone Numbers Used by Potentially Millions of Subscribers

posted by martyb on Thursday February 06 2020, @06:33AM   Printer-friendly
from the when-two-factor-authentication-may-not-be-such-a-good-idea dept.

Arthur T Knackerbracket has found the following story:

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Twitter Says Someone Tried to Discover the Phone Numbers Used by Potentially Millions of Subscribers | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday February 06 2020, @06:42PM

    by Anonymous Coward on Thursday February 06 2020, @06:42PM (#954818)

    All good advice, but it is still another barrier to privacy invasion. The government assholes probably would because that is their job. Twitter and some asshole that buys a bunch of customer data from them will not bother trying to make sure every phone number is tied to a physical address.

    What we should be doing is educating the masses on TOR and other decentralized network protocols / services and deny traffic to sites that block such traffic. Also we need data privacy laws, give the public a big old hammer to swing down on any company abusing its customer data.