Skip to main content

A Twitter bug could use your phone number to expose personal information

Don’t upload your contacts to Twitter. If you do, or if you already have on your Android device, your phone number could be one of 17 million exposed on the app, a bug first reported by TechCrunch.

Security researcher Ibrahim Balic, who is based in London, told the site he was able to match records in seven different countries, including one of a senior Israeli politician and several other high-profile users. He did this when he discovered that when one uploads one’s contacts, the app would “fetch user data in return,” he told TechCrunch. It was then possible to match the phone numbers uploaded into the app with the Twitter records and figure out account usernames.

Twitter had previously reported a security flaw in its Android app on December 20 that, it said in a statement at the time, “could allow a bad actor to see nonpublic account information or to control your account (i.e., send Tweets or Direct Messages).”

But the flaw that Twitter reported appeared to depend on the insertion of malicious code. This new flaw that Balic reported involves no malicious code; it simply involves knowing someone’s phone number and being able to figure out their Twitter persona from that information alone.

This is the latest in a serious of bugs or hacking attacks that has plagued Twitter and other social networks, including Facebook. In November, both apps said the date of “hundreds of users” was comprised through faulty Android apps. Emails, usernames, and recent tweets were all exposed. In both this recent case and the one in November, Twitter said at the time that it had no evidence that anyone’s account was actually hacked or exploited, although it did admit there were two bad actors involved who were paying developers to use malicious software development kits.

Twitter has suffered a few huge leaks in the past several years, including one in 2016 that exposed the login credentials of 32.8 million users, and another in 2018 wherein Twitter urged 330 million users to change their passwords after they were exposed on the company’s internal network.

Editors' Recommendations