Twitter has admitted it is possible that state actors may have accessed the phone numbers of some of its users.
In December 2019, a cybersecurity researcher, Ibrahim Balic, discovered a flaw in the social media network affecting its contacts upload feature. He found that the flaw enabled him to access the phone numbers of senior politicians.
According to Twitter, at this time it said it saw a “high volume of requests” to use the feature from Iran, Israel and Malaysia.
Twitter declined to say how many users’ phone numbers had been compromised as a result. The social media network told ZDNet that while investigating the incident it had discovered evidence that the API bug had been exploited by third-parties other than Balic.
In a statement on its blog, Twitter said: “It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
The company did not specify as to why it believed the attack could have been a state-backed one; however, it may be due to the fact users in Iran were able to access the platform despite Twitter being banned in that country.
Balic had been able to match 17 million phone numbers to specific Twitter users by exploiting a flaw in the contacts feature in Twitter’s Android app.
The feature was designed to enable new Twitter account holders to connect with their phone contacts. The feature matches phone numbers to Twitter account for those users who have “let people who have your phone number find you on Twitter” option enabled.
By generating more than two billion phone numbers and uploading them to Twitter, Balic was able to match those generated numbers to users in Israel, Turkey, Iran, Greece, Armenia, France and Germany over a two month period. Rather than alert Twitter to the fault, he instead sent a WhatsApp group message to warn people directly affected.
According to Twitter, those users who did not have the setting enabled or do not have a number associated with their account were not exposed by this vulnerability.
The company has since patched the fault and said it has suspended any account believed to have been exploiting this vulnerability.
“We’re very sorry this happened,” it said. “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”