A security researcher has said he matched 17 million phone numbers to Twitter users’ accounts by exploiting a vulnerability in Twitter’s Android app,media reported. The researchers, named Ibrahim Balic, found that the full list of phone numbers generated can be uploaded through the Twitter contact upload feature. In other words, if a user uploads their phone number on Twitter, the platform will get user data.
Balic points out that Twitter’s contact upload feature does not accept a list of phone numbers in a continuous format, which may be an attempt to prevent this match above. However, Balic generated more than 2 billion phone numbers, one by one, and then randomly assigned them and uploaded them to Twitter via the Android app. Balic points out that this vulnerability does not exist in the web-based upload feature.
Balic said he matched user records from Israel, Turkey, Iran, Greece, Armenia, France and Germany over a period of more than two months, but stopped the practice after Twitter responded to the vulnerability on December 20. Although he did not alert Twitter to the vulnerability, he referred the phone numbers of many well-known Twitter users, including politicians and officials, to The WhatsApp groups to warn users directly.
In response, Twitter said it was working to ensure that the vulnerability was not exploited again. “After learning of this vulnerability, we suspended accounts that illegally obtained personal information. Protecting the privacy and security of Twitter users is our top priority, and we remain committed to quickly stopping spam and abuse from the Twitter API. “
Balic is understood to have previously been known for discovering security vulnerabilities that affected Apple’s development center in 2013.