The security researcher by the name Ibrahim Balic discovered that he could upload a list of phone numbers via contact upload feature. After uploading Twitter will automatically fetch corresponding user details. The flaw will allow anyone to match phone numbers with a user account. Apparently, Twitter already has a feature in place to prevent such type of attacks. However, Balic was able to circumvent the feature by generating more than two billion phone numbers one after another and uploading the same.
Balic matched records across different regions like Israel, Turkey, and Iran. The researcher told TechCrunch that “If you upload your phone number, it fetches user data in return.” He also showcased his efforts by using a password reset feature and matching random users with numbers. Thats not all, in one of the attempts the number matched that of a senior Israeli politician.
The flaw was not fixed for a while since Balic didn’t report it to Twitter. Instead, he matched phone numbers of high-profile Twitter users and formed a WhatsApp group to directly warn users about the peril. In the meantime, Twitter is tightlipped about the flaw and is yet to acknowledge/deny or even issue a clarification regarding the same.
Twitter is no stranger to security flaws and privacy issues. Earlier this year, Twitter had agreed that it collected user data even after they have opted out of location sharing. And a month ago they were found guilty of serving ads using numbers provided for two-factor authentication.
[via TechCrunch]