Twitter claims that the attacker used its API to match usernames to cellphone numbers.
In a press release launched yesterday, Twitter revealed a safety incident throughout which third events used the corporate’s official API (utility programming interface) to match cellphone numbers with Twitter usernames.
In order to clarify the incident, Twitter announced that it had learned of attempts to use this API feature on December 24, 2019, After the report from the TechCrunch information website. The report particulars the efforts of a safety researcher who has abused Twitter’s API perform to match 17 million cellphone numbers to public usernames.
Twitter claims that after this report he intervened and instantly suspended a big community of pretend accounts that have been used to ship a question to its API and match cellphone numbers to Twitter usernames.
During the investigation of the report, the social network reported that it also discovered additional evidence that this API error was also used by other third parties, in addition to the security researcher at the TechCrunch report center.
Twitter didn’t clarify who these third events have been, however stated that a number of the IP addresses utilized in these makes an attempt to make use of the API had hyperlinks to state-sponsored entities, a time period used to explain authorities intelligence businesses or hacking third celebration teams benefiting from authorities help.
The corporate stated it’s disclosing the outcomes of the investigation right now „because of extreme caution and in principle.”
In line with Twitter, the attackers used a reliable API endpoint that permits new account holders to seek out folks they know on Twitter. The API endpoint permits customers to ship cellphone numbers and match them to recognized Twitter accounts.
„People who did not have this setting enabled or do not have a phone number associated with their account were not vulnerable to this vulnerability,” stated Twitter.
The social community reported that it instantly detected a lot of modifications at this endpoint after detecting the assault „so that it could no longer return specific account names in response to queries.”
The article was rewritten and up to date 18:00 Jap time primarily based on extra info supplied by a Twitter spokesperson