Balic discovered that it was possible to upload complete lists of phone numbers generated through the Twitter contact loading feature
Ibrahim Balic, a cybersecurity researcher, has discovered what was hiding after the latest security flaw in the Twitter app for Android. This vulnerability that has been confirmed by the company itself allowed linking Twitter accounts with the phone numbers of its users.
As explained by the Techcrunch, Balic says he has been able to match up to 17 million phone numbers with their respective Twitter user accounts by exploiting a defect in the Twitter application for Android. A basic bug that could have been exploited by numerous cybercriminals.
Balic discovered that it was possible to upload complete lists of phone numbers generated through the Twitter contact upload feature. “If you upload your phone number, get user data in return.” In other words, if someone had a telephone number in their possession, they could use this ‘app’ to check who was the owner of the phone or, even worse, they could match random numbers to find those of famous or important people. as politicians or artists.
Although the Twitter contact loading function does not accept lists of phone numbers in a sequential format, it is probably a way to avoid this type of match. Instead, Balic generated more than two billion random phone numbers, one after the other, and uploaded them to Twitter through the Android application.
For two months, this researcher matched phone records with users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, but stopped after Twitter blocked his investigation on December 20.
Although it did not alert Twitter about the vulnerability, Balic created a WhatsApp group with many of the phone numbers of high-profile Twitter users, such as politicians and high-ranking officials, to directly warn users. TechCrunch was able to identify a senior Israeli politician using his matching phone number.
According to Twitter, the finding of Balic, which already discovered a security breach that affected Apple in 2013, is not related to the warning a few days ago in which the company admitted to having suffered a security flaw in the Android app that it would allow cyber attackers to have access to some of the private or restricted information, including direct messages, protected tweets and stored location information.
A Twitter spokesman told TechCrunch that the company was working to “make sure this error cannot be exploited again“. “Upon learning of this error, we suspend the accounts used to improperly access people’s personal information. Protecting the privacy and security of people who use Twitter is our number one priority and we remain focused on quickly stopping spam and abuse that originate in the use of Twitter APIs”, says a company spokesman.