Twitter announced that it resolved a security issue that enabled hackers to compile information from 5.4 million Twitter accounts, which were listed for sale on a cyber crime forum. Again, the vulnerability has been fixed. Affected Twitter users are expected to receive notification.
Twitter’s security bug
The vulnerability enabled anyone to type the phone number or email address belonging to a known Twitter user to learn about whether or not it was tied to an existing Twitter account, potentially exposing pseudonymous account identities.
In a statement published today, Twitter said “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”
Twitter fixes the bug
Twitter says that it fixed the bug in January. The bug was initially introduced into the Twitter code-base in July of 2021. A security researcher reported the bug amidst a bug bounty program and was awarded $6,000 for disclosing the vulnerability.
The bug bounty report explains that the vulnerability posed a “serious threat” to users who maintain private or pseudonymous accounts. Theoretically, the bug could have co-opted for purposes of creating a data base or to enumerate a large swatch of the Twitter user-base.
Twitter’s skeleton bugs
This vulnerability appears similar to a Twitter bug discovered in late 2019. Said bug enabled security researchers to match 17 million phone numbers to Twitter accounts.
The recent warning
The recent bug warning came too late. Hackers exploited the vulnerability between July of 2021 and January of 2022, creating a database of email addresses and phone numbers belonging to 5.4 million Twitter accounts.
Twitter says that it discovered the exploit through an unspecified press report in July, which zeroed in on a cyber crime forum listing. According to the report, the listing advertised user data from celebrities and companies, along with high-profile social media and gaming user names.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” stated Twitter. Account owners are expected to receive notification, if affected.
Past CyberTalk.org Twitter coverage
- Twitter tests a new Co-Tweet feature
- An unexpected REvil emergency
- With a Chrome exploit posted on Twitter, did this ethical hacker sabotage security?
For more on this newly emergent Twitter security story, click here. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.