Twitter has revealed that it has discovered and suspended accounts abusing a feature that allowed users to match phone numbers with usernames. By announcing the privacy issue, it’s also confirming the flaw discovered by security researcher Ibrahim Balic in December 2019. Balic found that Twitter’s Android app had a vulnerability that allowed him to match 17 million phone numbers with their respective accounts. While you can look up contacts using their phone numbers on the platform, Twitter says matching a massive amount of numbers with accounts goes “beyond [the feature’s] intended use case.”
We recently discovered an issue that allowed bad actors to match a specific phone number with the corresponding accounts on Twitter. We quickly corrected this issue and are sorry this happened. You can learn more about our investigation here: https://t.co/Z6Q4geQ8jo
— Twitter Support (@TwitterSupport) February 3, 2020
The company says that after suspending the first set of fake accounts exploiting the flaw — presumably Balic’s, who created hundreds of sock puppet accounts for his investigation — it found more. Those additional accounts were located from a wide range of countries, but most of them were from Iran, Israel and Malaysia, based on the IP addresses Twitter traced.
“It is possible that some of these IP addresses may have ties to state-sponsored actors,” its announcement reads. “We are disclosing this out of an abundance of caution and as a matter of principle.”
Although the flaw allowed bad actors to look up millions of phone numbers of people they don’t know, users who don’t have the “Let people who have your phone number find you on Twitter” setting enabled weren’t affected. Further, Twitter suspended all the offending accounts it found and modified its API to prevent bad actors from exploiting the number matching feature going forward.