Twitter admits ‘bad actors’ exploited phone number matching feature

Sponsored Links

bombuscreative via Getty Images

Twitter has revealed that it has discovered and suspended accounts abusing a feature that allowed users to match phone numbers with usernames. By announcing the privacy issue, it’s also confirming the flaw discovered by security researcher Ibrahim Balic 2019. Balic found that Twitter’s Android app had a vulnerability that allowed him to match 17 million phone numbers with their respective accounts. While you can look up contacts using their phone numbers on the platform, Twitter says matching a massive amount of numbers with accounts goes “beyond [the feature’s] intended use case.”

The company says that after suspending the first set of fake accounts exploiting the flaw — presumably Balic’s, who created of sock puppet accounts for his investigation — it found more. Those additional accounts were located from a wide range of countries, but most of them were from Iran, Israel and Malaysia, based on the IP addresses Twitter traced.

“It is possible that some of these IP addresses may have ties to state-sponsored actors,” its announcement reads. “We are disclosing this out of an abundance of caution and as a matter of principle.”

Although the flaw allowed bad actors to look up millions of phone numbers of people they don’t know, users who don’t have the “Let people who have your phone number find you on Twitter” setting enabled weren’t affected. Further, Twitter suspended all the offending accounts it found and modified its API to prevent bad actors from exploiting the number matching feature going forward.

In this article:

fake accounts, gear, security, Twitter
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.