Twitter says it has fixed a security vulnerability exploited by threat actors to gain account data of approximately 5.4 million users, which were put up for sale on a known hacking forum.
The vulnerability allowed the threat actor to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.
“In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. When we learned about this, we immediately investigated and fixed it,” Twitter disclosed in a security advisory.
The flaw was discovered by a security researcher Zhirinovsky in January 2022 who was awarded $5,000 for disclosing the vulnerability.
“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account,” read the report.
“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.”
According to Twitter, this bug had resulted from an update to its code in June 2021, which was immediately identified and fixed in January 2022. At that time, the company had no evidence to indicate someone had taken advantage of the vulnerability.
Although the bug was patched, it was too late as the hackers had already exploited the vulnerability during the six-month window i.e. from June 2021 to January 2022, to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.
The microblogging platform said that it learned through a press report in July 2022 that someone had potentially exploited the bug and was offering to sell the information they had compiled ranging “from celebrities to companies” for $30,000.
“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”
For those using a pseudonymous Twitter account, the company recommends users keep their identity as veiled as possible by not adding a publicly known phone number or email address to their account.
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” warned the Twitter advisory.
The microblogging platform has also encouraged everyone who uses Twitter to enable 2-factor authentication using authentication apps or hardware security keys to protect their account from unauthorized logins.
Twitter said it did not know how many Twitter users were impacted by the breach and emphasized that no passwords were exposed.
“We can confirm the impact was global,” a Twitter spokesperson said via email. “We cannot determine exactly how many accounts were impacted or the location of the account holders.”