Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

A Twitter app bug was used to match 17 million phone numbers to user accounts

A security researcher said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter’s Android app.

Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. “If you upload your phone number, it fetches user data in return,” he told TechCrunch.

He said Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format — likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)

Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20.

Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site’s password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided.

In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number.

While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.

It’s not believed Balic’s efforts are related to a Twitter blog post published this week, which confirmed a bug could have allowed “a bad actor to see nonpublic account information or to control your account,” such as tweets, direct messages and location information.

A Twitter spokesperson, when reached, did not immediately comment outside of business hours.

It’s the latest security lapse involving Twitter data in the past year. In May, Twitter admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared. In August, the company said it inadvertently gave its ad partners more data than it should have. And just last month, Twitter confirmed it used phone numbers provided by users for two-factor authentication for serving targeted ads.

Balic is previously known for identifying a security flaw breach that affected Apple’s developer center in 2013.

Hackers are spreading Islamic State propaganda by hijacking dormant Twitter accounts

Comments

Post a Comment

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio
Post a Comment
Read more

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line
Post a Comment
Read more

ProtonMail logged IP address of French activist after order by Swiss authorities

ProtonMail , a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users. For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying prem
Post a Comment
Read more