Twitter resolves security flaw that enabled phone numbers to be matched with user accounts

Twitter's implementation of two-factor authentication exposed users' phone numbers

Twitter has resolved an issue that enabled bad actors to exploit the Twitter API to match phone numbers with accounts.

The security incident occurred in December 2019, according to Twitter, enabling a large number of fake accounts to exploit Twitter's Application Programming Interface (API) to access the information. The company only publicly disclosed the security issue yesterday.

The API endpoint enabled any Twitter user to submit a phone number and return the corresponding account matching that phone number.

However, not all Twitter users were vulnerable to this particular exploit, the company said. The incident affected only those users who had linked their accounts with their phone numbers and had also enabled the feature which allows other users with "your phone number to find you on Twitter".

According to Twitter, it noticed in December that someone was using a big network of fake accounts to send large numbers of requests to the Twitter API.

https://twitter.com/TwitterSupport/status/1224437659818319872?ref\\_src=twsrc%5Etfw

Twitter API works as an interface between the company's apps/websites and its back-end systems. In its investigation, Twitter found that fake accounts were being operated from a wide range of countries, including Iran, Malaysia and Israel.

The company believes some of those accounts may also have links to state-sponsored actors.

Spotting the security incident, the company initiated an investigation and introduced a number of changes to that specific API endpoint that was being exploited by the bad actors. It also suspended all those accounts that were engaged in this behaviour.

Twitter said it was disclosing the details of its investigation to let users know what exactly happened in that security incident and how the issue on the platform was fixed.

"We are disclosing this out of an abundance of caution and as a matter of principle," Twitter said, adding that protecting the safety and privacy of Twitter users is its top priority, and that the company remains focused on stopping bad actors from abusing Twitter's API.

"We recognise and appreciate the trust you place in us, and are committed to earning that trust every day," the company stated.

However, this is not the first incident impacting the privacy of Twitter users.

In September last year, the company disabled its tweet via SMS feature just days after CEO Jack Dorsey's account was compromised due to security flaws.

Earlier in March 2017, accounts belonging to Amnesty International, UNICEF USA and security blogger Graham Cluley, among others, were compromised by hackers in order to post abusive messages.

In 2015, Russian government-backed hackers also used Twitter to breach networks of US government and defence industry computer systems and distributed malware to their targets.