With “an abundance of caution and as a matter of principle,” Twitter announced Monday that it has since addressed an issue which allowed possible state-sponsored actors with IP addresses located in Iran, Israel and Malaysia to exploit a flaw in the site’s application programming interface (API) and access a number of users’ phone numbers.
According to the website’s investigation, “a large network of fake accounts” were able to take advantage of the the website’s API endpoint that allows a new user to submit their phone number and link it to their account. In most cases, users prefer to have this setting turned on in order for friends to be able to find and follow them.
Twitter explained that while its probe revealed there were accounts in a wide range of countries that made use of the API exploit, “a particularly high volume of requests” originated from IP addresses tied to Iran, Israel and Malaysia. While it’s unclear whether the profiles were backed by those countries’ governments, they have been removed from the platform.
This comes several weeks after tech news website TechCrunch published an article highlighting how security researcher Ibrahim Balic was able to exploit the flaw, which was specifically present in Twitter’s Android app.
“If you upload your phone number, it fetches user data in return,” he told the outlet, revealing that he was able to match 17 million phone numbers with users’ accounts on Twitter.
The researcher provided TechCrunch with a sample list, and the outlet reported that it was “able to identify a senior Israeli politician using their matched phone number.”
While Balic did not personally alert Twitter, according to TechCrunch, ZDNet obtained a statement from Twitter noting that it became aware of the exploit on December 24, 2019 - the same day Balic’s research was made public by TechCrunch
Twitter did not give an exact figure for how many users were impacted by the possible state-backed actors’ efforts, but the company did reveal that those who had the “let people who have your phone number find you on Twitter” option selected in their settings were at risk during the time the exploit was available.