Twitter discloses API vulnerability that allowed snoops to tie phone numbers to accounts
Twitter says it has beefed up security after a “large network of fake accounts” was able to match phone numbers to Twitter accounts using a vulnerability in the platform’s application programming.
The vulnerability in Twitter’s application programming interface (API), a set of protocols that govern how data interacts with a particular website, allowed someone to upload a slew of phone numbers and correlate them with user accounts.
In a statement Monday, Twitter said it became aware of the issue on Dec. 24, the day that news site TechCrunch reported on how a security researcher had matched 17 million phone numbers by exploiting Twitter’s API.
After investigating the issue, Twitter said it found other accounts that were exploiting the API endpoint. Accounts in several countries were abusing the API, but there was a particularly high volume of abuse coming from IP addresses in Iran, Israel, and Malaysia, the social media giant said.
Twitter has suspended the offending accounts and made “a number of changes to the endpoint” to fix the issue, the company said.
Only users who enabled a feature to allow others to find them on Twitter via their phone number were exposed to the issue.
This is not the first high-profile API vulnerability that Twitter has had to address. In September 2018, Twitter disclosed that its account activity API had inadvertently leaked sensitive data to other developers.