A security vulnerability on Twitter has been fixed now, exposed 54 lakh user accounts that had been listed on the dark web for sale.
By using the vulnerability, cyber attackers were trying to enter an email address and phone numbers to find the Twitter existing account information, reported by security researchers, explains.
Using this vulnerability, an attacker can find a Twitter account by its phone number/email even if the user has prohibited this in the privacy options.
Vulnerability Description
The vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the authorisation process used in the Android Client of Twitter, specifically in checking the duplication of a Twitter account.
Impact Private Information
This is a serious cyber threat, as people can not only find users who have disabled discoverability by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising or targeting celebrities in different malicious activities. Short: this can lead to a loss of privacy for many users.
What happened
In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021, said Twitter.
What Twitter Learned
When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
How to Protect Your Twitter Account
- Your Passwords should be strong and not be reused on other websites.
- Add Two-factor authentication ON.
- Your account reset password link or code must be requested via email and phone number.
- Always do check before entering your login information, ensure that you are on twitter.com, and do not click on any suspicious link.
- Make sure you never share your username and password with third parties, especially those who promise to increase your followers, earn money, or verify your account.
