Security Flaw Uncovered Regarding Twitter’s Phone Number Account Matching
This week Twitter revealed that it has recently detected a security vulnerability in its account matching systems which may have led to the exposing of people’s personal information via the application.
"On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers,” Twitter explained.
“We immediately suspended these accounts and are disclosing the details of our investigation, because we believe it’s important that you are aware of what happened, and how we fixed it."
When users first sign-up for a Twitter account, Twitter provides an option where they can cross-match their existing phone and email contacts with Twitter’s database. This option allows them to find people they might know on the platform; users can update this at any time by going to ‘Settings and Privacy then ‘Privacy and safety’ and finally ‘Discoverability and Contacts.’
These options are active by default in order to enable people with the user’s phone number or the number attached to their account to find their twitter profile – ideally the people users know in real life. In order to find profiles of anyone listed in a user’s email and to refresh their contacts listing at any time, all the user has to do is tap on ‘Manage Contacts’ at the bottom.
This feature comes in handy for users building connections from scratch; however, Twitter has now found out that hackers can also use it to gather personal data.
Through this process, scammers could get the user’s name and phone number which could then be used to blackmail them with information posted via the user’s Twitter account, theoretically.
As noted by TechCrunch, with many people also using their phone number for two-factor authentication, it could also enable them, potentially, to access your account.
"Additionally, we suspended any account we believe to have been exploiting this endpoint."
Twitter says that it has made changes to its system so that it will no longer return specific account names in response to queries.
What are your thoughts? Let us know in the comments below.
Photo credit: Unsplash