
Twitter says an attacker used its API to match usernames to phone numbers - spzx
https://www.zdnet.com/article/twitter-says-an-attacker-used-its-api-to-match-usernames-to-phone-numbers/
======
deft
What happened: Twitter asks users on sign up to scan their contacts (read:
steal and upload them). If you say no, twitter asks again and again every day
/ every login until you finally allow it to. Twitter builds a huge and
unnecessary db of users and phone numbers, as well as non-users IDs tied to
phone numbers. Someone uses an API to steal this info that in most cases
twitter only collected by tricking their users / forcing it.

Anyone affected by this should be suing twitter for even collecting this
information! My friend can give away my phone number because of this data
collection.

~~~
RKearney
A trick I found to stop this nonsense is, at least on iOS, answer yes to the
Application's custom dialog to ask permission. This will then invoke the iOS
security dialog where you can click "No" and never be asked again.

Generally what I see happening is apps will ask the user if it's okay, and
only when the user says yes will they execute the necessary system call to
request access. In iOS at least, if a user clicks No the app can never prompt
for that permission ever again. Until the app makes this formal request to the
operating system, it does not show up under privacy (as the app had never
asked for it in the first place).

~~~
vincentmarle
Your friends/family probably won’t do this, so your phone number is going to
be shared with Twitter anyways.

~~~
cameronbrown
Well then the obvious solution is to start treating phone numbers as you would
an email address - effectively public.

I would love a version of privacy.com for phone numbers..

~~~
amalcon
Start? It wasn't that long ago that the phone company published a book with
near everyone's phone number in it.

~~~
jacobsenscott
There was no book with everyone's phone number in it. There were many books
that covered small regions. If you lived in Oshkosh Wisconsin and wanted the
number for someone in Kansas City, or even Madison Wisconsin it wasn't that
easy to get that book. Maybe your library had it. Phone numbers on paper
aren't that useful. You can't robodial a paper phone book without hiring
actual people. But no matter what you couldn't get millions of phone numbers
while sitting on your couch, and if you could they would be useless because
they were all on paper.

~~~
rileymat2
The books were hard to get, but directory assistance did exist if you called
the operator.

~~~
gwright
I'll bet there are quite a few people on HN that have never dialed 411 or
1-<area-code>-555-1212.

------
rewq4321
I was amazed when I found out about this "trick" a year or two ago. It
basically means that if you've used your personal email or phone number to
create an "anonymous" twitter handle (e.g. a whistleblower, leaker, etc.),
then it's not anonymous at all.

Someone can just put batches of emails into their gmail account (e.g.
journalists' public emails, their employees' emails, other suspects), then use
the Twitter contacts-import functionality to import those emails and match
them up with Twitter account handles. It's insane.

I first saw people explaining how to do this on Quora a year or two ago, but
here's another explanation that was posted just a few days before this
announcement: [https://www.quora.com/How-228/answer/William-
Boyd-181](https://www.quora.com/How-228/answer/William-Boyd-181)

Twitter MUST have known about this loophole for many years. It's nigh on
impossible that they are that incompetent, so, as far as I can see, they were
just ignoring the loophole because they didn't want to slow down their growth
by removing the feature. As with all social networks, the most important
factor in keeping users is to quickly get them a network of followers and
followees.

EDIT:

> "People who did not have this setting enabled or do not have a phone number
> associated with their account were not exposed by this vulnerability,"
> Twitter said.

This spokesperson is extremely sneaky. They completely neglect to mention that
the "let others find me by _email_ " is checked by default, and so we can only
assume that anyone who has a publicly scrape-able email _somewhere_ (basically
everyone, because you've got to count all the leaked databases too - see:
haveibeenpwned.com) has had their Twitter handle linked to that email. Atheist
bloggers in Saudi Arabia, whistleblowers in the US, opposition activists in
Russia, and so on - all potentially fucked over (past tense) by this.

And while I'm ranting: What's worse is that they apparently _haven 't disabled
that API_. They've just removed a few big crawler swarms. But the thing is,
Russia / Saudi Arabia / etc. probably have narrowed their suspects down to 500
(or so) emails anyway, so they can discover the heretic/activist in a SINGLE
API REQUEST! So Twitter has done _nothing_ to fix this loophole.

~~~
C4stor
The first thing twitter proposes when you create an account : "Do you want to
match emails and phone numbers to account".

In this thread : "How can it be possible to match emails and phone numbers to
accounts?"

It's not a loophole, it's a feature.

It's in the TOS before you sign up : "Twitter also uses your contact
information to market to you as your country’s laws allow, and to help others
find your account if your settings permit, including through third-party
services and client applications."

How can someone then not realize this is a possibility ? At what moment can
someone start to even begin to think twitter is a safe place for endangered
people ? It's an ad company, what do you expect really ?

~~~
rewq4321
The fact that you're citing the TOS is not exactly helping your case, since
it's well known that basically no one reads those. I'm not as concerned about
techy people as I am about the average person's understanding of their
identity privacy on Twitter.

But even as a techy person I was surprised by how easy it is for a random
person to link millions of identities. And I'm obviously not alone given that
this post made it to the front page. So when you say "what do you expect
really?" \- well, most people expect that a random person can't discover their
email from their twitter handle. I think that's a completely fair expectation,
and people should rightly be concerned about this "feature". Posts like this
should be upvoted, because a lot of people aren't aware.

Your incredulity here tends to come across as "it's in the TOS, you're all
pretty ignorant, I knew about this all along." which isn't all that helpful,
even if it's all true.

------
sakisv
From Twitter's statement:

> People who did not have this setting enabled or do not have a phone number
> associated with their account were not exposed by this vulnerability.

This is a bit disingenuous, given that you can't really open an account unless
you provide a phone number to "verify" it.

Edit for clarification:

As gojomo said below
([https://news.ycombinator.com/item?id=22233612](https://news.ycombinator.com/item?id=22233612))
you may not need to provide it during sign-up, but your new account is almost
immediately locked for "suspicious activity" and you need to provide a phone
to unlock.

~~~
cmroanirgo
I just checked the twitter signup form, which does have a phone input. But
there's a toggle saying "use email instead".

So, no phone number is required.

~~~
gojomo
New accounts without an associated phone number tend to face a lock &
challenge, for "suspicious activity" (even if they've never posted), which can
only be reversed by adding a phone number.

So, Twitter is _de facto_ requiring phone numbers on many more accounts than
the initial sign-up flow might indicate – to the detriment of user privacy, &
increasing the damage of compromises like this one.

~~~
tialaramex
Note that activities which are potentially suspicious aren't just about
posting, it includes following people, because that makes their follower count
go up, and the whole point of displaying that count is most people want to
appear popular - and so of course people create bogus followers.

I agree that Twitter using this to get people to give them PII those don't
want Twitter to have, especially when Twitter aren't a good custodian of that
PII is terrible, but it's not as though Twitter's other option (anybody can
mint a thousand bogus Twitter followers with no pushback from Twitter) looks
great either.

~~~
80386
> I agree that Twitter using this to get people to give them PII those don't
> want Twitter to have, especially when Twitter aren't a good custodian of
> that PII is terrible, but it's not as though Twitter's other option (anybody
> can mint a thousand bogus Twitter followers with no pushback from Twitter)
> looks great either.

Third option: don't display follower counts.

~~~
JaRail
Hiding counts makes it hard to identify imposter accounts and bots. Users need
to be able to see account age and counts at a minimum.

------
mikey_p
The deepest irony of all this is that they require phone numbers to verify
accounts, which should cut down on fake accounts, yet they had a large amount
of fake accounts using this very feature, which means verifying with a phone
number may not be super effective anyway...

~~~
kwijibob
I factory reset my phone so my lost my gauth 2fa for Twitter. I'm locked out
now.

I cannot get Twitter to let me back in even though I can verify my email and
phone SMS.

I didn't make a backup code because I assumed I could use email/SMS in this
situation. It seems not.

So another smaller irony is that you cannot make valid use of your linked
phone number that they nag you for.

------
jrochkind1
> The endpoint matches phone numbers to Twitter accounts for those people who
> have enabled the “Let people who have your phone number find you on Twitter”
> option and who have a phone number associated with their Twitter account.

I don't recall hearing about this option. I followed the link they helpfully
included[1] to see if I had it set.

I found that I DID have "Let people who have your phone number find you on
Twitter" checked. But did NOT have "Let people who have your email address
find you on Twitter" checked.

It's possible I actually chose that at some point, for some reason decided I
was okay with "by phone number", but not "by email". But that doesn't sound
like me, I'm wondering if I unchecked the "email address" one at some point
when the "phone number" one didn't exist; then they later added the "phone
number" one defaulted to on?

I am guessing they intend to default all of these to on (opt-out rather than
opt-in), cause few people would take the trouble to go and opt-in even if they
didn't mind or would like it.

But... you know. Anyway, I've unchecked both of them now.

I don't entirely understand the vulnerability, it sounds like it was "letting
people who have your phone number find you on Twitter" just as advertised. "we
immediately made a number of changes to this endpoint so that it could no
longer return specific account names in response to queries." OK, so... you
can't use the API to do that anymore, but can still use the twitter web app
directly? I mean, it says right there you are letting people who know your
phone number find you on twitter, which I would assume means find your account
name.

It kind of sounds like they realized this whole feature was privacy-violating,
or would be perceived as such, but they haven't gotten rid of the feature...
I'm confused what they considered the vulnerability and what they changed or
didn't, and to what extent usernames and phone numbers can still be matched by
a third party on twitter.

[1]:
[https://twitter.com/settings/contacts](https://twitter.com/settings/contacts)

~~~
tzs
> It's possible I actually chose that at some point, for some reason decided I
> was okay with "by phone number", but not "by email". But that doesn't sound
> like me, I'm wondering if I unchecked the "email address" one at some point
> when the "phone number" one didn't exist; then they later added the "phone
> number" one defaulted to on?

I looked at mine, which I'm sure I've never touched before because I never
cared about Twitter settings. As with my Facebook account, my Twitter account
was mostly just created to get an acceptable name in case someday I actually
wanted a serious social media presence.

Both are unchecked. The account was created in early 2008.

~~~
fernandotakai
yeah, same. account created in oct 2007, never checked and i have everything
turned off.

~~~
disiplus
also unchecked,and i have my phone number there.

------
kingosticks
Any chance this means they'll get rid of their popup that asks for my phone
number everytime I visit. You only have to refresh the page to get rid of it
but it is annoying. This incident shows they don't know what they are doing
and don't respect their user's data.

------
jraph
I read the article and thought, "well, yes, the option that needed to be
enabled on the account for the attack to work describes what the API did, what
is the bug?"

I found the original notice from twitter [1] easier to understand (maybe
change the URL of this post?) and it does not speak about a bug. Twitter did
implement a change so that the attack cannot be done anymore though.

I did not understand the fix itself, it seems the API cannot be used for its
intended use anymore?

[1] [https://privacy.twitter.com/en/blog/2020/an-incident-
impacti...](https://privacy.twitter.com/en/blog/2020/an-incident-impacting-
your-account-identity)

~~~
JaRail
The fix was to block the botnets that were scanning millions of numbers and
ban the associated accounts. Likely that includes some ongoing threat
detection as well. That'll at least prevent scammers from collecting one more
account name/number to attempt exploiting.

It doesn't do anything against a targeted attack against someone who has
chosen to be discoverable. That's just how search/discovery is intended to
work.

------
_Understated_
> Twitter did not clarify who these third-parties were, but it did say that
> some of the IP addresses used in these API exploitation attempts had ties to
> state-sponsored actors, a term used to described either government
> intelligence agencies, or third-party hacking groups that benefit from a
> government's backing.

Can someone explain this to me please? Are "state-sponsored hackers" this
foolish to use the same IP addresses as previous, known IP's used in hacks?

Or is this just the current "because terrorism / because pedophiles" used to
cover incompetence?

I don't get it...

~~~
meowface
I've been involved in research of this nature, though not specifically
attributing APTs. Think of it like old school detective work: every crime and
every criminal leaves traces, including the traces of the ways they attempt to
prevent being traced. This sometimes also includes attempts to impersonate
other entities ("false flags"). No matter how many layers of indirection an
attacker uses, there's going to be at least one thread to pull on.

There's no equivalent to DNA testing, but sometimes you can have pretty high
confidence in an attribution. To be clear, this goes incredibly far beyond
looking at IP address geolocation or whatever. That's less than 1% of what
you're looking at. That'd be like police assuming a death threat was signed
with someone's real name.

There's no way of knowing exactly what they identified or how they did it or
if they got it right. I wish more companies would release such information and
how they conducted the entire analysis (some do), though I understand that may
not be possible due to legal and counter-intelligence reasons.

------
arminiusreturns
Went on a tweet storm a few months ago. Twitter locked my account and forced
me to give my phone number. I started getting spam calls at a level I didn't
before (may be coincidence but am very tight about that sort of thing, I don't
even give my grocery store my #) and I knew, just knew that at some point,
this very thing would happen.

Combine that with the story that the Saudi's had infiltrated twitter and were
spying on users, especially in light of how they treat their opponents
(Kashoggi), when do we stop supporting companies that do these obviously poor
practices?

~~~
vorpalhex
> when do we stop supporting companies that do these obviously poor practices?

Well, you just indicated you chose to continue supporting this company with
the poor practice above. What would make you switch away from them? Clearly
the spam calls weren't enough.

~~~
arminiusreturns
It's a complicated issue. I am very privacy focused, the kind of person that
doesn't do facebook, burns accounts on different forums regularly, etc, but I
have to admit I enjoyed the information I got out of twitter while not
enjoying some of their recent changes.

Since the spam calls and the phone link in though, I have already changed my
twitter-name and lost all followers, and since then I pretty much stopped
tweeting. Haven't logged in in at least a month now.

The main problem with adoption of an alternative is that I was using it to
keep up with the kinds of people that aren't necessarily going to move to an
alternative until it reaches some sort of critical mass. My RSS feeds are
already full enough without having to add a bunch of random single person
blogs to keep up with, so I'm not sure to be honest. Twitter was my main
compromise to stay more socially connected with a wider array of people and
it's hard to let go of that.

Despite my desire for good federated and open source social networking, it
isn't quite there yet, and so for the time being the one social outlet
alternative I see glimmers of hope in is WT.Social.

~~~
em-bee
you can still follow people without logging into twitter. their posts are
public. you can't DM with them though, and they also can't follow you. they
also can't block you. but as far as "getting information out of twitter" is
concerned, no account is needed

------
busterarm
So I guess Twitter applied for a technology embargo exemption to Iran?

I mean, I guess that's been public knowledge already that they serve there,
but the overwhelming majority of public companies block the IP space of every
country on the embargo list.

I'd think that serving Iran right now would be fairly politically untenable

~~~
xxpor
Most of Iran's leadership have active twitter accounts, so I'd have to guess
so.

------
drewmol
TL;DR

Twitter's data collection/friend matching feature used an API endpoint that
returned usernames given phone numbers. A security researcher exposed it
publicly, Twitter patched it (to just return a token or something). Twitter
investigated and just released their findings "out of an abundance of caution
and as a matter of principle." that it's clearly been "exploited" many times
in the past. Twitter probably charges for the data returned by this "exploit".
It doesn't look like the settings offered stop Twitter from selling this
"exploit" as a service for "promotional" content.

It's seems strange not care that Twitter sells your username but care they
also accidently gave it out for free in the past.

------
gorgoiler
Nothing in the article about collaboration with law enforcement or national
security.

Some amount of liability on Twitter’s part in this is palpable, but this is
also a criminal act on the part of the attacker who should accordingly be
brought to justice, _or at least an attempt should be made to do so_.

If this is happening with law enforcement agencies then I feel like tech
companies usually say so. Twitter’s statement says they are “releasing the
details” but there’s no mention of law enforcement or state department
involvement.

If the press release is meant to achieve this engagement publicly, then there
are no actual “details” in it for example, no link to a list of IP addresses,
twitter accounts, and times at which the endpoint was accessed!

Thats a bit flippant of course but perhaps there is actually a way they could
have released some of those details: ASNs, days of the attack, some other
aggregation?

In any case, some reassurance from Twitter that this is being followed up on
by a government agency would be good to see.

------
swadizand
Attacker what? He, Ibrahim Balic, is a security researcher; but when it comes
to Twitter, they are stubborn claiming the bug was a feature. See what
"attacker" says:

[https://youtu.be/CuiGKv_nx7o](https://youtu.be/CuiGKv_nx7o)

------
baybal2
[https://news.ycombinator.com/item?id=21748137](https://news.ycombinator.com/item?id=21748137)

From 2 months ago:

>Basically Twitter got pwned big time, and now denies it because GDPR will
ruin them if breach is proven. Here is what Doubi's online followers figured:

>State security got all phone numbers used for Twitter phone verification up
to May 2019 and possibly till July.

>Twitter haphazardly closed the breach in complete secrecy.

>API hole explanation is excluded as people with 100% private accs got police
visits.

>People with foreign SIM cards also got into trouble. So the explanation that
China compromised Twitter's SMS providers is also excluded, as its improbable
that they did it in 4+ countries.

>2016 breach is also out of question.

>The only explanation is that they got hold on a big piece of their user DB,
or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily
cooperated.

>[https://mobile.twitter.com/robert_spalding/status/1134797195...](https://mobile.twitter.com/robert_spalding/status/1134797195..).

>[https://amp.ft.com/content/afd44222-5c34-11e9-9dde-7aedca0a0...](https://amp.ft.com/content/afd44222-5c34-11e9-9dde-7aedca0a0..).

------
3fe9a03ccd14ca5
Twitter could go a long way in solving this issue by _not requiring a phone
number_ for an account. While you don’t need one to sign up, after some short
period of time you’ll be locked out if you don’t provide one.

------
buboard
phone numbers are better than ips for surveillance. they follow you
everywhere.

~~~
Scoundreller
I eagerly look forward to a phone-number free world.

Would help a lot with global mobility.

------
milofeynman
I swear I saw someone mention this a month or two ago in HN comments. They
said that they believed Twitter's API was being used to unmask accounts by
state actors. I can't find the original article now.

~~~
jsnell
You're thinking of
[https://news.ycombinator.com/item?id=21873229](https://news.ycombinator.com/item?id=21873229)

That was slightly different, since at that time the only information we had
that this unethical "security researcher" had exploited the bug for months on
billions of phone numbers and only disclosed it once Twitter blocked them.

This announcement is different in that Twitter appear to be saying that this
was being abused by other actors as well.

~~~
milofeynman
That was exactly the comment. Thank you! It sounds like everyone and their
mother was exploiting the API based on today's post. Thanks again.

------
geogriffin
> After our investigation, we immediately made a number of changes to this
> endpoint so that it could no longer return specific account names in
> response to queries.

Does anyone know what this actually means? If the contact discovery API
doesn't return a username, what does it do? If the answer is that it returns a
user ID now instead of username, then presumably that can then be freely
queried for the corresponding username..

------
buboard
There should not be an app permission to export contacts list in the first
place. If an app needs your contacts, there should be a way to export them
offline and upload the contacts file. If a user is not technically adept to do
that, they are clearly also not adept to judge the ramifications of pressing
the "allow" button on the contacts permission dialog.

------
dickjocke
I was rejected with no explanation from a Twitter API key, despite it being
for a real account that must appear very normal in every respect.

I think it's kind of funny that they are so draconian with hobbyists and
people making toys, but that any motivated bad actor can probably access most
of the same endpoints and services by virtue of the fact that they have to be
accessible for people to use Twitter.

------
stebann
Someone have mentioned spam after being forced to provide his/her phone number
to Twitter, and I have known of similar cases in 2019. I also remember a case
where the police matched a twitter handle to a phone number and proceeded to
arrest a guy who have been a strong activist against electronic vote. So I can
conclude that this bug was well known at the beginnings of 2019.

------
rezeroed
Why on earth would you give twitter your phone number!? It's an ad company.
Why on earth would you give an ad company your phone number?!

------
daenz
At some point we'll realize that privacy invasive policies are a huge security
liability, right?

------
exabrial
I don't even feel sorry for them. Many many times over, industry experts told
people: SMS is NOT 2FA and should not be used as such. Great to see karma
served, and I look forward to U2F or Webautn on my twitter account soon.

~~~
rchaud
What's there to feel sorry about? Twitter isn't facing any regulatory scrutiny
over this, let alone possible fines.

------
spoondan
It’s interesting to me that these kinds of things are not catalogued and
advertised like other vulnerabilities. This is an exploitable information leak
using an endpoint that many other services likely have.

------
diebeforei485
They should not allow phone number -> handle lookups. That is quite creepy.

A much more privacy-respecting method would be to only allow lookups if _both_
parties have each other added.

------
simonebrunozzi
Class action?

~~~
markovbot
Unlikely to succeed. This sort of invasive, drag-net data collection without
user knowledge or consent is considered standard practice.

All twitter users "agreed" to it when they created their account (via the
legal fiction that humans read and agree to terms of service)

~~~
cmcd
I didn't create a twitter account but my information could have been leaked
via this process.

~~~
markovbot
Is there some law against them collecting your information from your friends
without your consent? I'm not a lawyer, just an observer of how these sort of
things regularly go, and I'm going to guess that what they did here was 100%
legal.

Obviously this is morally abhorrent, but in the US the laws are written to
protect large corporations like Twitter, not their victims.

------
sdan
Isn’t this old news? Thought this came out a few months ago.

~~~
boudin
According to the article, Twitter discovered the problem on the 24th of
December 2019.

------
lowdose
Kind of ironic Twitter can't protect data theft but spends considerable amount
of resources to detect Deep Fakes.

~~~
krapp
How is that ironic, those are two entirely different issues.

------
est
this "bug" made hundreds of thousands Chinese activists' account "disappear".
Sad.

------
GrumpyNl
One of the reasons i never installed the twitter app. Will keep using the web
page.

------
mLuby
Why is "impacting" better than "affecting?"

~~~
dghughes
For starters impact is a noun and affect is a verb.

It's probably textbook risk analysis lingo, an impact is measurable but an
affect is not.

Usually an impact scale is created to define what impact level 5 would involve
versus impact 1. It's still arbitrary but more configurable than affect.

Just my two cents, no guarantee.

------
thiagomgd
I was already thinking of deleting my twitter account. This is just an extra
incentive

------
typeformer
Wtf

------
TylerE
It's a phone number, not your bank account.

It's public information.

Do you want to sue the phone telcos for publishing the phone book?

~~~
XMPPwocky
What's your phone number?

I might call you and check- and check for VOIP numbers, too, so no fakes.

~~~
techsupporter
> check for VOIP numbers, too, so no fakes

Ah yes, continuing the fiction that anyone who uses a VoIP service must be a
fraudster with a faked phone number.

Just another in the long list of if you are not using Google or Microsoft
e-mail and AT&T or Verizon or T-Mobile or Sprint postpaid mobile phone
service, you're obviously up to no good and deserve whatever "anti-fraud" you
get.

