Twitter is investigating claims that a near-seven-month-old vulnerability in its software has been exploited to obtain the phone numbers and email addresses of a reported 5.4 million users.
A miscreant using the handle “devil” claims to have siphoned the details and is selling it all on a cyber-crime forum, according to RestorePrivacy, a digital privacy advocacy group that first reported the security breach. It’s said that the info belongs to celebrities, companies, ordinary netizens, and accounts with highly desirable usernames.
“We are reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question,” a Twitter spokesperson wrote in an email to The Register.
The statement also noted the exploited bug was reported through Twitter’s bug bounty program and fixed in January.
“We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability,” the spokesperson said. “As always, we’re committed to protecting the privacy and security of the people who use Twitter. We’re grateful to the security community who engages in our bug bounty program to help us identify potential vulnerabilities such as this.”
The Twitter spokesperson did not respond to The Register‘s questions about whether the owners of the accounts in question have been notified, and what the company is doing to mitigate the issue.
A HackerOne user, zhirinovskiy, disclosed the privacy flaw, which lies in the authorization process in Twitter’s Android client, on New Year’s Day. Essentially, an oversight in the software’s design could be abused to harvest the email addresses and phone numbers registered with Twitter accounts, even if users had chosen not to reveal this info.
“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections),” zhirinovskiy wrote at the time.
“Such bases can be sold to malicious parties for advertising purposes, or for the purposes of [targeting] celebrities in different malicious activities,” the bug hunter added. “Also a cool feature that I [discovered] is that you can even find the id’s of suspended Twitter accounts using this method.”
Twitter paid zhirinovskiy a $5,040 bounty for the discovery, and fixed the vulnerability on January 13.
Last week, however, RestorePrivacy said it found the Twitter database for sale on Breached Forums, analyzed the the samples, and confirmed that they matched “real-world people that can be easily verified with public profiles on Twitter.”
The organization also reached out to Devil, the seller, who wanted $30,000 for the information and blamed “Twitter’s incompetence” for the leak. ®
Speaking of Twitter, Elon Musk – the tech tycoon accused of trying to wriggle out of buying the website – has denied a Wall Street Journal report that he had an affair with Nicole Shanahan, the wife of Google co-founder and Musk’s friend Sergey Brin.
It’s claimed Musk met Shanahan at the end of last year while she was separated from but still living with Brin. The Google billionaire has since filed for divorce and derailed his friendship with the SpaceX supremo, apparently.
“This is total BS,” Musk tweeted on Sunday. “Sergey and I are friends and were at a party together last night!
“I’ve only seen Nicole twice in three years, both times with many other people around. Nothing romantic.”