Twitter has warned that a “large network of fake accounts” possibly linked to state-sponsored actors have been mining one of its APIs to pull user’s phone numbers.
“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia”, Twitter said.
Strictly speaking, the API endpoint being abused is actually just doing its job and Twitter noted that the disclosure is from “an abundance of caution”.
When a Twitter user wants the platform to find accounts attached to people that are already contained in their phonebook they can enable the “Let people who have your phone number find you on Twitter” function: this API call was being tapped heavily.
The incident took place on December 24, 2019, when it was clear that a large network of fake accounts was exploiting the API. Following its internal investigation they discovered that more account holders have been exposed using the same API endpoint in a manner the company describes as “beyond its intended use case.”
Twitter API and Data Protection Woes
The API raid came two months after Twitter admitted that it had ‘inadvertently’ used emails and phone numbers taken solely for 2FA purposes to create targeted ads.
Ilia Kolochenko, CEO of web security company ImmuniWeb told Computer Business Review in an emailed statement: “Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security.
“[But] the security vulnerability in question (this weeks exploit announcement) is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies.
He added: “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”
Twitter said it has “immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint.”