Culture

Bug in Twitter app let outside party match millions of users' phone numbers to their accounts

17M

Number of phone numbers matched to Twitter users' accounts in latest bug.

TechCrunch

NurPhoto/NurPhoto/Getty Images

Update: This post has been updated to include a comment from Twitter.

A security researcher has revealed a worrying flaw in Twitter’s Android app that allowed him to match 17 million phone numbers to individual accounts over the span of two months, TechCrunch reports.

According to Ibrahim Balic, who has previously exposed major flaws on other platforms, the bug applied only to the app and made it possible for him to upload a randomized set of phone numbers and glean specific user data in return. He didn't report the issue to Twitter but instead says he reached out to affected users directly.

In a statement to Input, a Twitter spokesperson confirmed that the company is aware of the vulnerability and is working on a fix.

"We take these reports seriously and are actively investigating to ensure this bug can't be exploited again," a Twitter spokesperson told Input. "When we learned about this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter’s APIs."

Seriously, Twitter? — While it wasn’t successful 100 percent of the time — Balic says he started out by generating two billion phone numbers — the bug still let him match 17 million phone numbers to Twitter accounts based out of Israel, Turkey, Iran, Greece, Armenia, France, and Germany. Twitter reportedly put an end to his activity on Dec. 20, two months after it began.

TechCrunch says it was able to verify the method based on a sample of numbers provided by Balic and even identify a senior Israeli politician in doing this.

Twitter disclosed a separate Android bug last week when it said it “may have been possible for a bad actor to access information (e.g., Direct Messages, protected Tweets, location information) from the app.” Not a good look for an app already plagued with abuse.