A Twitter app bug was used to match 17 million phone numbers to user accounts

INSUBCONTINENT EXCLUSIVE:
A security researcher said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter Android
app. Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter contacts upload feature
&If you upload your phone number, it fetches user data in return,& he told TechCrunch. He said Twitter contact upload feature doesn&t accept
lists of phone numbers in sequential format — likely as a way to prevent this kind of matching
Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter
through the Android app
(Balic said the bug did not exist in the web-based upload feature.) Over a two-month period, Balic said he matched records from users in
Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20. Balic
provided TechCrunch with a sample of the phone numbers he matched
Using the site password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that
were provided. In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number. While he did not
alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials
— to a WhatsApp group in an effort to warn users directly. It not believed Balic efforts are related to a Twitter blog post published this
week, which confirmed a bug could have allowed &a bad actor to see nonpublic account information or to control your account,& such as
tweets, direct messages and location information. A Twitter spokesperson told TechCrunch the company was working to &ensure this bug cannot
be exploited again.& &Upon learning of this bug, we suspended the accounts used to inappropriately access people personal information
Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam
and abuse originating from use of Twitter APIs,& the spokesperson said. It the latest security lapse involving Twitter data in the past year
In May, Twitter admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared
In August, the company said it inadvertently gave its ad partners more data than it should have
And just last month, Twitter confirmed it used phone numbers provided by users for two-factor authentication for serving targeted ads. Balic
is previously known for identifying a security flaw breach that affected Apple developer center in 2013. Hackers are spreading Islamic
State propaganda by hijacking dormant Twitter accounts