Researcher gets 17 million users’ phone number using the Twitter app vulnerability

In terms of data and privacy security, although the social network giant Facebook has done poorly, the next Twitter has also encountered various security issues during this period. A few days ago, researchers discovered that there are certain specific flaws in the Android version of Twitter, which can be used to match the contact information of some users to specific accounts. Security researchers located in Istanbul, Turkey, Ibrahim Balic quietly revealed this loophole and introduce their research results at the recently talking to TechCrunch media.

After the Android version of Twitter is first installed and started, it will prompt to read the contact information. If the user allows it, the contact information will be encrypted and uploaded to the Twitter server. Twitter matches contact information based on mobile phone numbers and recommends friends to users. Originally, contact numbers were not uploaded in clear text for security reasons. But researchers have found that they can generate random numbers to upload to Twitter, and then use the matching function of the Twitter server to retrieve related accounts and so on. The researcher generated up to 2 billion numbers in batches in just two months, of which as many as 17 million were successfully matched to specific Twitter accounts. In other words, the researcher indirectly obtained the real mobile phone numbers of 17 million Twitter accounts, which is a very serious leak for Twitter.

Twitter fixed the vulnerability on Dec. 20 before researchers revealed the vulnerability. Prior to this, the researcher did not report the vulnerability directly to Twitter. According to the researcher’s statement, Twitter has not officially acknowledged that at least as of now, it has not been possible to confirm whether Twitter has actually leaked tens of millions of user information. What’s interesting is that Twitter disclosed a serious security vulnerability in the Android version of Twitter last week, and an attacker could gain control of the user’s Twitter account after executing certain code. It’s unclear whether this vulnerability is the same as the one found by Ibrahim, and it should be a completely different security issue from the description of Twitter.