Security News > 2020 > February > State-sponsored actors may have abused Twitter API to de-anonymize users

A Twitter API that's intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users.

"On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it's important that you are aware of what happened, and how we fixed it," Twitter shared on Monday.

Malicious actors who can match Twitter usernames to phone numbers can not only unmask users that might want to remain anonymous on the microblogging service, but could also use that information to perform SIM swapping attacks and receive the second authentication factor needed for hijacking accounts additionally secured via 2-factor authentication.

Apparently, the API endpoint did not accept lists of phone numbers in sequential format, but the researcher got around this flimsy protection by generating more than two billion phone numbers, randomizing them, then uploading them to Twitter via the Android app.

"The endpoint matches phone numbers to Twitter accounts for those people who have enabled the 'Let people who have your phone number find you on Twitter' option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter explained.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/-dfoDCPqR20/