View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 4, 2020

Twitter Says State Actors Were Raiding a Valid API to Mine User’s Phone Numbers

"We identified accounts located in a wide range of countries engaging in these behaviors"

By CBR Staff Writer

Twitter has warned that a “large network of fake accounts” possibly linked to state-sponsored actors have been mining one of its APIs to pull user’s phone numbers.

“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia”, Twitter said.

Strictly speaking, the API endpoint being abused is actually just doing its job and Twitter noted that the disclosure is from “an abundance of caution”.

When a Twitter user wants the platform to find accounts attached to people that are already contained in their phonebook they can enable the “Let people who have your phone number find you on Twitter” function: this API call was being tapped heavily.

The incident took place on December 24, 2019, when it was clear that a large network of fake accounts was exploiting the API. Following its internal investigation they discovered that more account holders have been exposed using the same API endpoint in a manner the company describes as “beyond its intended use case.”

Twitter API and Data Protection Woes

The API raid came two months after Twitter admitted that it had ‘inadvertently’ used emails and phone numbers taken solely for 2FA purposes to create targeted ads.

Ilia Kolochenko, CEO of web security company ImmuniWeb told Computer Business Review in an emailed statement: “Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“[But] the security vulnerability in question (this weeks exploit announcement) is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies.

He added: “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”

Twitter said it has “immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint.”

See Also: Alphabet Reveals Cloud, Youtube, Google Search Revenues for the First Time

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU