Earlier this week, Twitter revealed a security incident that involved “high volume of requests coming from individual IP addresses located within Malaysia,” among other countries.
Twitter said it became aware that someone was using a large network of fake accounts to exploit their API and match usernames to mobile phone numbers. The social media company discovered this incident on December 24, 2019.
“We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it,” the company said.
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
An IP address is a unique “digital address” that identifies a device on the Internet or a local network. It allows a system to be recognized by other systems connected via the Internet protocol. Using services such a Virtual Private Network (VPN), online users around the world are able to mask their actual IP address and connect to the Internet using a different IP address located in different parts of the world.
“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint,” Twitter said in a blog post.
On 25 December, 2019, a security researcher said he has matched 17 million mobile phone numbers to Twitter user accounts by exploiting a flaw in Twitter’s Android app. The bug did not exist on Twitter’s website.
The security researcher, Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through the Twitter contacts upload feature via the Android app. “If you upload your phone number, it fetches user data in return,” he told TechCrunch.
In May 2019, Twitter admitted it gave account location data to its partners, even if the user had opted-out of having their data shared. In August, the company said it inadvertently gave its ad partners more data than it should have. In November 2019, Twitter confirmed it exploited mobile phone numbers provided by users for two-factor authentication to serve targeted ads.