Twitter API Abused to Uncover User Identities

State-sponsored actors may have been behind the social media abuse, said Twitter.

Twitter said that malicious actors, with potential ties to state-sponsored groups, were abusing a legitimate function on its platform to unmask the identity of users.

The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API (application programming interface) function on its platform that, when used as intended, allows accounts to find Twitter users that they may already know by matching phone numbers to their Twitter account names.

The bad actors were using this legitimate feature to uncover Twitter users – opening concerns that they could have potentially obtained the true identities of human rights activists or dissidents who go under pseudonyms on Twitter.

Twitter, which has a user base of more than 68 million, said that the fake accounts were detected in a wide range of countries. However, a particularly high volume of requests were coming from individual IP addresses located within Iran, Israel, and Malaysia.

“It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle,” said Twitter in a Monday statement. “We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it’s important that you are aware of what happened, and how we fixed it.”

The API only matches users’ phone numbers and names if they have enabled the “Let people who have your phone number find you on Twitter” option. People who did not have this option enabled were not affected, said Twitter.

Twitter API bug abuse

Twitter’s “Let people who have your phone number find you on Twitter” option

However, “After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries,” said Twitter.  “Additionally, we suspended any account we believe to have been exploiting this endpoint.”

Threatpost has reached out to Twitter for more information on how it has improved the privacy of “Let people who have your phone number find you on Twitter” option. Threatpost has also inquired whether affected Twitter users are being notified.

In December, security researcher Ibrahim Balic told TechCrunch that he was able to match 17 million phone numbers to Twitter user accounts by abusing a flaw in Twitter’s Android app. Twitter reportedly became aware of the separate exploitation efforts after the researcher made his findings known.

It’s not the first time that Twitter’s platform has been targeted by governments to dig up users’ identities. In November, the Department of Justice (DoJ) charged two former Twitter employees of working with the government of Saudi Arabia to snoop on political dissidents’ accounts. Other platforms, such as WhatsApp, have reportedly also been targeted by state-sponsored actors to spy on or identify human rights activists.

It’s also only the latest Twitter privacy issue to come to light. In December, Twitter for Android users were urged to update their app to avoid a security bug that allows a malicious user to access private account data and could also allow an attacker to take control of accounts to send tweets and direct messages. The social media platform also warned in October that old Twitter API still used by popular iOS mobile apps that could be abused as part of a man-in-the-middle attack.

Suggested articles