Social

Twitter: State actors could have used API flaw to entry customers’ cellphone numbers (Up to date)

(Reuters) — Twitter mentioned on Monday that it had found makes an attempt by attainable state actors to entry the cellphone numbers related to consumer accounts, after a safety researcher unearthed a flaw within the firm’s “contacts add” characteristic.

In an announcement printed on its privateness weblog, Twitter mentioned it had recognized a “excessive quantity of requests” to make use of the characteristic coming from IP addresses in Iran, Israel, and Malaysia. It mentioned, with out elaborating, that “a few of these IP addresses could have ties to state-sponsored actors.”

An organization spokesperson declined to say what number of consumer cellphone numbers had been uncovered, saying Twitter was unable to determine all the accounts that will have been impacted.

She mentioned Twitter suspected a attainable connection to state-backed actors as a result of the attackers in Iran appeared to have had unrestricted entry to Twitter, despite the fact that the community is banned there.

Tech publication TechCrunch reported right here on December 24 {that a} safety researcher, Ibrahim Balic, had managed to match 17 million cellphone numbers to particular Twitter consumer accounts by exploiting a flaw within the contacts characteristic of its Android app. TechCrunch mentioned it was capable of determine a senior Israeli politician by matching a cellphone quantity by the device.

The characteristic, which permits individuals with a consumer’s cellphone quantity to search out and join with that consumer on Twitter, is off by default for customers within the European Union, the place stringent privateness guidelines are in place. It’s switched on by default for all different customers globally, the spokesperson mentioned.

Twitter mentioned in its assertion that it has modified the characteristic so it not reveals particular account names in response to requests. It has additionally suspended any accounts believed to have been abusing the device.

Nonetheless, the corporate isn’t sending particular person notifications to customers whose cellphone numbers had been accessed within the knowledge leak, which info safety specialists contemplate a finest follow.

Replace at 2:20 p.m. Pacific: The headline has been up to date to replicate that this was not a flaw in Twitter for Android however slightly a vulnerability within the API. It was not a client-specific bug.

Tags
Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close
Close