State-sponsored actors may have abused Twitter API to de-anonymize users
A Twitter API that’s intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users.
How did it happen?
“On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it,” Twitter shared on Monday.
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors.”
Malicious actors (whether state-sponsored or just fraudsters motivated by money) who can match Twitter usernames to phone numbers can not only unmask users that might want to remain anonymous on the microblogging service, but could also use that information to perform SIM swapping attacks and receive the second authentication factor needed for hijacking accounts additionally secured via 2-factor authentication.
The company did not mention it in the advisory, but the trigger for the investigation was a security researcher’s months-long effort of exploiting a flaw in Twitter’s Android app that allowed him to match 17 million phone numbers to Twitter user accounts.
Apparently, the API endpoint did not accept lists of phone numbers in sequential format, but the researcher got around this flimsy protection by generating more than two billion phone numbers, randomizing them, then uploading them to Twitter via the Android app.
What now?
This specific bug was present only in the app’s upload feature and has since been fixed.
“The endpoint matches phone numbers to Twitter accounts for those people who have enabled the ‘Let people who have your phone number find you on Twitter’ option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” Twitter explained.
After the investigation, the company made “a number of changes to this API endpoint so that it could no longer return specific account names in response to queries.”