Pierluigi Paganini
November 26, 2022
At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.
The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.
The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.
“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”
In August, Twitter confirmed that the data breach was caused by the now-patched zero-day flaw submitted by the researchers zhirinovskiy via bug bounty platform HackerOne and that he received a $5,040 bounty.
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.
“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”
This week, the website 9to5mac.com claimed that the data breach was worse than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources.
“A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.” reads the post published by 9to5mac.com
9to5Mac‘s claims are based on the availability of the dataset that contained the same information in a different format offered by a different threat actor. The source told the website that the database was “just one of a number of files they have seen.” It seems that the impacted accounts are only those having the “Discoverability | Phone option (which is hard to find within Twitter’s settings)” enabled in late 2021.
The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US.
“I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.” the source told 9to5Mac. “Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.”
The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches.
The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the “email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”
The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company.
UPDATE:
Update: After discussing with my colleague @sonoclaudio, we noticed that the post on the popular breach forum reports that 1.4 accounts were suspended. Now the question is, why months after the accounts were suspended, the data were still present in the database? Which is the retention period for Twitter? Does Twitter violate the GDPR for European users?
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Twitter)
[adrotate banner=”5″]
[adrotate banner=”13″]
