Matti Robinson
8 Aug 2022 13:22
Twitter released a statement on Friday confirming that a vulnerability they had patched earlier this year was, in fact, used in a malicious attack to collect user data.
The company was forced to come clean after media reports about hacked account details surfaced on the web. According to Twitter, the company became aware of the problem in January 2022 via the company's bug bounty program. The bug had been in the code since June 2022 and was quickly fixed.
Now, the actual vulnerability and the exploit of it has to do with a form that provides the Twitter ID associated with the submitted phone number or email address. This shouldn't be publicly available, and according to a HackerOne report to Twitter, this happened even when the user had explicitly prohibited this action in the Twitter privacy settings.
This was abused to create lists consisting of Twitter IDs, phone numbers, and email addresses.
Last month Restore Privacy reported that over 5 million Twitter accounts were exposed by a hacker that was selling the database with Twitter IDs, phone numbers, and email addresses. For $30,000, the hacker by the name of "devil" claimed, you could receive information about "Celebrities, Companies, randoms, OGs, etc."
Twitter contends that there were no signs of abuse at the time of learning about the vulnerability in January 2022. While this might be possible, it seems odd that they couldn't detect any wrongdoing with an attack that likely just included a brute force-like guessing of email addresses and phone numbers, and managing to score 5.4 million account details.
Twitter has confirmed that the hacker's leaked data was retrieved using the vulnerability in question.
However, fortunately, the issue did not expose passwords and other more private information, but Twitter acknowledges that even email addresses and phone numbers attached to Twitter IDs are a grave violation of privacy. The company apologizes especially to the people that use pseudonyms, often for a very good reason, and might have been included in the more than 5 million accounts leaked.
Lastly, the company notes that if you are worried about the privacy of your phone number and email address, you might want to not add publicly known phone numbers or email addresses to the account. Furthermore, even though the hack didn't expose passwords or give access to the account itself, Twitter reminds us that having two-factor authentication enabled is good security practice.