Twitter Bug Links 17 Million Phone Numbers to User Accounts

REUTERS/Dado Ruvic
REUTERS/Dado Ruvic

A digital security researcher claims to have discovered a bug in Twitter’s Android app that allowed him to link 17 million phone numbers to users accounts. By uploading phone numbers to twitter, the security expert was matched to the user accounts associated with the phone numbers.

TechCrunch reports that security researcher Ibrahim Balic has discovered a bug in Twitter’s Android app which allowed him to match 17 million phone numbers to Twitter profiles. Balic found that he could upload entire lists of generated phone numbers via Twitter’s contacts upload feature and receive user data in return. “If you upload your phone number, it fetches user data in return,” he told TechCrunch.

The app does not accept lists of phone numbers in a sequential format, so he generated over two billion phone numbers, then randomized the numbers and uploaded them to Twitter via the Android app. Over the course of two months, Balic matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, but stopped after Twitter blocked his efforts on December 20.

TechCrunch verified information provided by Balic and found that they were even able to link one phone number to the account of a senior Israeli politician. Balic did not directly report the bug to Twitter but rather took many of the phone numbers of high-profile Twitter users to a WhatsApp group to warn the users directly of the issue.

A Twitter spokesperson told TechCrunch the company was working to “ensure this bug cannot be exploited again.” The spokesperson added: “Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs.”

Earlier this week, Twitter published a blog post blog post which stated that a different security bug to the one discovered by Balic could have allowed “a bad actor to see nonpublic account information or to control your account,” such as tweets, direct messages and location information.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or email him at lnolan@breitbart.com

COMMENTS

Please let us know if you're having issues with commenting.