Twitter has announced that it has successfully fixed a security flaw that exposed 5.4 million of its accounts. This vulnerability allowed some threat actors to collect information on affected accounts.
Details of the security vulnerability that Twitter has been exposed to
Because of this vulnerability, it became possible for anyone to enter a phone number, or an email address, and see if that number or email is associated with a Twitter account. This allows the identity of the owners of Twitter pseudonyms to be revealed.
In a statement, the company said: “If someone provides an email address or phone number to Twitter’s systems, Twitter’s systems will tell the person the Twitter account associated with the email addresses, or phone number if any.”
BuzzFeed had used a similar flaw in Twitter’s systems in 2015. It took advantage of this vulnerability to expose the burning account of an extremist politician in Australia. Although this was useful, it is the widespread use of this process that can lead to problems.
Which is exactly what happened this time, as it was reported that hackers had already exploited the vulnerability before it was installed, to create a database of email addresses and phone numbers for 5.4 million Twitter accounts.
Twitter said in July 2022: “We learned through a press report that someone took advantage of this and was offering to sell the information they collected. After reviewing a sample of data available for sale, we confirmed that a bad actor had taken advantage of the problem before it was addressed. Therefore, we will directly notify account owners who we can confirm are affected by this issue.”
After contacting the person who exploited the security flaw, it was found that he had collected a database of 5.4 million Twitter account profiles. Including a verified phone number or email address, revealing general information such as number of followers, screen name, login name, location and profile picture URL and other information.
He was looking to sell the dataset for around $30,000. Many buyers are said to have gotten the cache since then.
Twitter rewards vulnerability finder
It is reported that the vulnerability was mentioned in a report by security researchers in Twitter’s Bounty Bug program, in June 2021. However, the company investigated and fixed the matter in January 2022, 6 months after the bug was entered into the codebase his own. Twitter has rewarded the security researcher who discovered the vulnerability with $6000.
How dangerous is this Twitter vulnerability
This security issue is not new to Twitter. It is similar to a vulnerability discovered in late 2019. It allowed security researchers to match 17 million phone numbers to Twitter accounts.
However, this flaw is not considered a serious breach, as this data is often publicly available. But for users who have been looking to keep their profile private separate from their real-world identity (IRL), or those who might tweet about contentious topics, this means that people are likely to track their phone numbers through this list, harassing them in a way All-new and even more extreme.