Advertisement
Subscribe to our daily newsletter.
Subscribe

Twitter discloses API vulnerability that allowed snoops to tie phone numbers to accounts

Twitter has made "a number of changes to the endpoint" to fix the issue.

By

Twitter login, Twitter authentication, twitter coronavirus
(Reuters)

Twitter says it has beefed up security after a “large network of fake accounts” was able to match phone numbers to Twitter accounts using a vulnerability in the platform’s application programming.

The vulnerability in Twitter’s application programming interface (API), a set of protocols that govern how data interacts with a particular website, allowed someone to upload a slew of phone numbers and correlate them with user accounts.

In a statement Monday, Twitter said it became aware of the issue on Dec. 24, the day that news site TechCrunch reported on how a security researcher had matched 17 million phone numbers by exploiting Twitter’s API.

After investigating the issue, Twitter said it found other accounts that were exploiting the API endpoint. Accounts in several countries were abusing the API, but there was a particularly high volume of abuse coming from IP addresses in Iran, Israel, and Malaysia, the social media giant said.

Advertisement

Twitter has suspended the offending accounts and made “a number of changes to the endpoint” to fix the issue, the company said.

Only users who enabled a feature to allow others to find them on Twitter via their phone number were exposed to the issue.

This is not the first high-profile API vulnerability that Twitter has had to address. In September 2018, Twitter disclosed that its account activity API had inadvertently leaked sensitive data to other developers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

In this photo illustration, a visual representation of the digital cryptocurrency Bitcoin is displayed in front of Securities and Exchange Commission (SEC) logo on January 10, 2024 in Paris, France. (Photo illustration by Chesnot/Getty Images)

SEC blames sim-swapping, lack of MFA for X account hijacking

Multifactor authentication was disabled at the SEC’s request last year after staff had difficulties accessing the social media account.
By Derek B. Johnson

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

The logo of the podcast Safe Mode

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics