Twitter has been forced to take action after discovering malicious actors taking advantage of an API bug to unmask users on the site by getting hold of their phone numbers.
The social network discovered the issue on Christmas Eve last year after detecting a user employing a large network of fake accounts to exploit an API which matches usernames to phone numbers. It’s specifically intended for new users to find people they may already know on the site — as long as they have enabled the “let people who have your phone number find you on Twitter” function and have a phone number associated with their account.
“During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case,” Twitter continued.
“While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
The bug may therefore have helped nation state intelligence services obtain the phone numbers of rights activists and others who use Twitter under pseudonyms. It would also have been useful to cyber-criminals for intelligence gathering on high value individuals, whose phone accounts may be useful to target in SIM swap operations.
Fortunately, the social site has now closed this vulnerability down.
“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint,” it confirmed.