Security News > 2020 > February > Twitter API Abused to Uncover User Identities

The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API function on its platform that, when used as intended, allows accounts to find Twitter users that they may already know by matching phone numbers to their Twitter account names.

The bad actors were using this legitimate feature to uncover Twitter users - opening concerns that they could have potentially obtained the true identities of human rights activists or dissidents who go under pseudonyms on Twitter.

In December, security researcher Ibrahim Balic told TechCrunch that he was able to match 17 million phone numbers to Twitter user accounts by abusing a flaw in Twitter's Android app.

In December, Twitter for Android users were urged to update their app to avoid a security bug that allows a malicious user to access private account data and could also allow an attacker to take control of accounts to send tweets and direct messages.

The social media platform also warned in October that old Twitter API still used by popular iOS mobile apps that could be abused as part of a man-in-the-middle attack.

News URL

https://threatpost.com/twitter-api-abused-to-uncover-identities/152521/