Twitter has just admitted to a serious security flaw that allowed matching phone numbers with their respective Twitter accounts. This flaw was originally pointed out by security researcher Ibrahim Balic in December 2019 but is only being brought to light just now.
The vulnerability was discovered in Twitter’s Android app and it allowed Balic to match over 17 million phone numbers with their user accounts. Twitter was forced to admit that such a massive pairing of corresponding accounts and numbers was beyond that feature’s intended use.
We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo
— Twitter Support (@TwitterSupport) February 3, 2020
The social media giant discovered hundreds of accounts using this exploit and immediately suspended them once the flaw was pointed out.
These accounts originated from a wide range of countries across the globe but were particularly in high volumes in regions like Iran, Israel, and Malaysia. Twitter believes that some of these accounts may have been sponsored by their respective countries.
Twitter has now patched this feature so it can no longer return specific account names in response to queries. They also explained that users who didn’t have their phone number linked to their accounts remained unaffected.
The case is explained in detail on Twitter’s official blog post here.