
A Twitter app bug was used to match 17M phone numbers to user accounts - kkm
https://techcrunch.com/2019/12/24/twitter-android-bug-phone-numbers/
======
baybal2
Very relevant:
[https://news.ycombinator.com/item?id=21747424](https://news.ycombinator.com/item?id=21747424)

Can this be an API leak which Chinese MSS used to track Chinese users?

It may well as be if we believe that API wasn't implementing discoverability
restrictions from privacy settings, and only hid users on the UI level.

> Basically Twitter got pwned big time, and now denies it because GDPR will
> ruin them if breach is proven. Here is what Doubi's online followers
> figured:

> State security got all phone numbers used for Twitter phone verification up
> to May 2019 and possibly till July.

> Twitter haphazardly closed the breach in complete secrecy.

> API hole explanation is excluded as people with 100% private accs got police
> visits.

> People with foreign SIM cards also got into trouble. So the explanation that
> China compromised Twitter's SMS providers is also excluded, as its
> improbable that they did it in 4+ countries.

> 2016 breach is also out of question.

> The only explanation is that they got hold on a big piece of their user DB,
> or, worse, they have an active infiltrator in Twitter, or Twitter
> voluntarily cooperated.

~~~
BurningFrog
> _they have an active infiltrator in Twitter_

If I was China, I'd go for this. Twitter has thousands of employees, many of
which can surely be turned with some pressure. Also many who has family in
China that can be used for leverage.

~~~
chatmasta
I’d have to imagine this is very common, and they’ve probably got one at all
the big tech companies. It’s an underreported threat IMO. Who would say no to
doubling their salary in exchange for running the occasional DB query for
their home country?

~~~
yzmtf2008
At a public company like Twitter, for SOX compliance reasons, it will be very
difficult to find someone that has such permissions, and running anything
unusual can be easily found by auditing. I'd stop with the conspiracy
theories.

~~~
lwf
[https://www.washingtonpost.com/national-security/former-
twit...](https://www.washingtonpost.com/national-security/former-twitter-
employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-
of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html)

In general, most companies want to scope SOX as narrowly as possible. So if
you can, only things that your auditors think will affect revenue reporting.

Querying ads performance data? Sure, we'll SOXify it. Querying user accounts
writ large? "Meh, our engineers need to be productive."

------
mherdeg
> Over a two-month period, Balic said he matched records from users in Israel,
> Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped
> after Twitter blocked the effort on December 20.

Sounds like the other thing Balic discovered (not explicitly published here)
is the rate limit below which Twitter's anomaly detection will not notice that
you are using an interesting API endpoint.

> While he did not alert Twitter to the vulnerability, he took many of the
> phone numbers of high-profile Twitter users — including politicians and
> officials — to a WhatsApp group in an effort to warn users directly.

Uh. I wonder how that went over?

------
ribosometronome
It sounds like he spent two months extracting data through a flaw that's
existed for years and then bragged about it after it got closed to his
egregious usage.

Is this considered normal or ethical behavior for a security researcher?

~~~
thepangolino
They literally ruined it for everyone else for the publicity. Typical of PR
obsessed white hat script kiddies.

~~~
Buge
What was ruined? And who ruined it?

~~~
dredmorbius
Access to what had until then been an 0day.

Ibrahim Balic "ruined" it, though public bragging (which is _not_ responsible
disclosure).

~~~
Buge
Ruining access to a 0day sounds like a good thing to me. I don't want people
to have access to 0days.

Some people dislike the term "responsible disclosure" and believe it's not a
moral imperative:

[https://hn.algolia.com/?query=author:tptacek%20responsible%2...](https://hn.algolia.com/?query=author:tptacek%20responsible%20disclosure&sort=byDate&prefix&page=0&dateRange=all&type=comment)

Of course what Ibrahim did wasn't full disclosure either, so he shouldn't be
fully congratulated. But bragging about it was better than keeping silent
about it in this case.

------
_jomo
This is a "feature", not a bug. Twitter keeps asking for phone numbers all the
time and then suggests you also allow others to discover your account via
phone number.

So this guy merely enumerated a lot of phone numbers and found accounts of
users who agreed to have their phone number publicly match their account.

~~~
krick
Yeah. Not long ago I thought I can finally try Twitter, but 20 minutes in
(just enough time to follow a couple of people and to start getting familiar
with the UI) I found UI to be totally blocked by the demand I submit my phone
or else. Naturally, I figured I don't need Twitter _that_ much.

So to call a feature nobody asked for which they went a long way to introduce
a "bug"... yeah.

~~~
dx87
Same thing happened to me when I just wanted to sign up to follow some esports
organizations. It says a phone number is optional during signup, then a few
minutes after I create my account it becomes locked and I get an automated
message saying that I'm suspected of being a bot, and the only way to unlock
it is by giving them my phone number.

------
3fe9a03ccd14ca5
The worst part about this is that twitter _requires_ you to add a phone
number. Why?? That’s very privacy hostile, since a phone number is very
personal and identifiable.

And it’s like a bait and switch. They don’t require it at sign up, but within
a short time they’ll lock your account until you add it.

~~~
HNthrow22
a dark pattern because while it's not actually required it might as well be,
their 'account locked' email conveniently leaves out that you can simply email
them and have them re-enable the account without a phone number.

that email for the curious:

 _Hello,

Your account appears to have exhibited automated behavior that violates the
Twitter Rules:
[https://support.twitter.com/articles/18311](https://support.twitter.com/articles/18311).

In order to continue safely using Twitter, please follow these steps:

1\. Log in to your account on the web or open your Twitter app (iOS or
Android). 2\. You’ll see a prompt letting you know your account has been
locked. Click or tap “Start”. 3\. Select your country/region from the drop
down menu, and then enter your phone number. 4\. Click “Send code” and Twitter
will send you a text message with a confirmation code (note that your standard
message rates may apply). 5\. Enter the code you received in the “Your code”
box and click “Submit”. 6\. You will see a confirmation message that your
account is now unlocked.

Once you confirm your identity, it may take up to a few minutes for your
account to be unlocked.

If you’re still experiencing an issue after confirming your identity, please
reply to this message and provide us with specific details of the problem
you're experiencing. We’ll do our best to help!

Thanks,

Twitter Support_

If you reply to this saying you don't have a phone they will re-enable your
account but there's no mention of that or "click here to verify account"
option.

~~~
mirimir
Yeah, I gotta try that sometime.

------
ec109685
Doesn’t really have anything to do with the Android app. He was using an api
endpoint that anyone could hit.

Step #1, turn two factor authentication on

Step #2, have your phone number leaked because of a dumb feature.

~~~
deogeo
I think these days, Twitter will suspend your account immediately after sing-
up, for "suspicious activity", and require a phone number to re-enable it.

~~~
Mirioron
At this point it has to be on purpose, right? There is no way that Twitter has
just overlooked this closing of accounts "for suspicious activity" for years
right when the account is created.

~~~
kick
I made one a week or two ago, followed some people, made a few tweets, and
wasn't asked for a phone number. I wasn't even asked for a CAPTCHA.

I deleted the account a few days later because Twitter is dull and the entire
point of what I was trying to do was see if the rumors of immediate account
flagging were true. They don't seem to be.

~~~
newnewpdro
I made one a few months ago and it immediately did the suspicious activity
provide phone number b.s.

I've not tried again since, and considered twitter 100% off-limits after that
experience since it's obviously just an effort to acquire phone numbers
coupled to accounts and email addresses under the guise of "security".

~~~
sdoering
thanks. I registered an account lately and wondered why this happened. thanks
for clarification.

------
xorcist
I recently started to use the "neo-banks" (fintech apps that may or may not be
actual banks, mostly for payments). All of them offer an app and APIs and ways
to discover which contacts use the same app via their phone number.

Immediately following this I received highly targeted phishing sms messages
that included links to plausible looking login pages.

Perhaps this shouldn't be too surprising, but people will get burned and
somebody will have to pay for it.

------
1f60c
I think it was irresponsible to keep collecting more phone numbers, and I
think he should've let Twitter handle informing users of this vulnerability.
Had he used responsible disclosure, he could have claimed a nice bug bounty
(between $280 and $2,940, according to [0]).

    
    
      [0]: https://hackerone.com/twitter

~~~
chance_state
I'm always curious why these bug bounty programs for billion dollar companies
pay so little.

Why not make this a 10K, 25K bounty even if it's small potatoes?

That amount is nothing to Twitter but might prevent what happened in this case
(continued collection of data, public release before Twitter could notify
users, etc).

I've noticed this trend of painfully cheap bounties at most other tech giants
too.

~~~
sp332
Katie Moussouris has spoken a lot about this. The incentives are pretty
complex.

[https://www.computerweekly.com/news/252450337/Bug-
bounties-n...](https://www.computerweekly.com/news/252450337/Bug-bounties-not-
a-silver-bullet-Katie-Moussouris-warns)

[https://www.zdnet.com/article/relying-on-bug-bounties-not-
ap...](https://www.zdnet.com/article/relying-on-bug-bounties-not-appropriate-
risk-management-katie-moussouris/)

[https://threatpost.com/newsmaker-interview-katie-
moussouris-...](https://threatpost.com/newsmaker-interview-katie-moussouris-
on-improving-bug-bounty-programs/139488/)

~~~
munk-a
I mean, there is a mix here, some genuine notes about how high bounties can
cause coordinated breaches to farm income but also notes about how bounties
shouldn't replace pen testing (I agree, but have both and don't, as a pen
tester, just argue that more money should go to pen testing, it's way too
self-serving) and a weird comment that having a low bounty and then overpaying
for a return of privileged data if the compromise could expose that data is a
bad idea because it encourages bad actors - if the bounty is 3k and the data
is worth 30 mil then yea, bad actors will emerge because you're criminally
underpaying for exploits.

Honestly, a lot of the reasons I'm seeing for lowering the payout of bounties
seems to revolve around "It's too expensive"

~~~
sp332
More reasons
[https://twitter.com/k8em0/status/1078798252151992320](https://twitter.com/k8em0/status/1078798252151992320)
Almost any amount of money allocated to bug bounties would be more efficiently
spent developing in-house talent.

~~~
Red_Leaves_Flyy
Which serves the argument that instead of rewarding people for sharing
vulnerabilities we should be punishing companies for having them. Harshly. The
more data points a company tracks the faster the fine should approach 100%
entire company market cap. Their subsidiaries, parent company's, board, and
executives should also not be immune but rather personally liable for
egregious cases of not knowing, failing to, or cutting corners around
documented best practices, security patching, hardware rotation etc. The
entire industry needs to be reworked to put security and make All pii
hazardous.

Sadly software is going the way of construction. Things Will only change when
tptb get inordinately effected.

------
codedokode
When sites collect phone numbers to "find friends", there is always a chance
that they will be leaked. And even worse, someone having enough resources will
check all existing phone numbers and get a mapping between numbers and
accounts.

This reminds me of a story posted on Russian site [1], where researchers
managed to bypass Instagram's protection and find accounts by phone number.
Sadly, I cannot confirm described method because their site requires a Google
Account to find Instagram account by phone number. But if it's true it shows
that even Facebook and thousands of its engineers cannot protect their users'
data.

[1]
[https://translate.google.com/translate?sl=ru&tl=en&u=https%3...](https://translate.google.com/translate?sl=ru&tl=en&u=https%3A%2F%2Fhabr.com%2Fru%2Fcompany%2Fpostuf%2Fblog%2F479094%2F)

~~~
londons_explore
When you have a typical "find friends" feature, there is no way to secure it.
Each friend can lookup a large address book of 1000 users, then very quickly
the whole valid phone number space can be searched.

------
whywhywhywhy
“ he took many of the phone numbers of high-profile Twitter users — including
politicians and officials — to a WhatsApp group in an effort to warn users
directly”

What on earth does this actually mean? And why does he still have a verified
Twitter account or an account at all when he exploited it for 2 months without
informing them?

~~~
RicardoLuis0
I'm pretty sure it means, he made a WhatsApp group, and added/invited those
high-profile people to warn them

------
Lammy
This must be the "Account Security Issue" Twitter e-mailed me about last week.
I was wondering when they'd release more details:
[https://i.imgur.com/yjzMtLB.png](https://i.imgur.com/yjzMtLB.png)

Transcription:

"SUBJECT: Twitter Account Security Issue – Update Twitter for Android

Hello,

We recently fixed an issue that could have compromised your account. Although
we don’t have evidence that this was exploited, we can’t completely confirm so
we are letting you know. You can learn more about this issue here.

Please update to the latest version of Twitter for Android as soon as possible
to make sure your account is secure.

We’re sorry this happened and will continue working to keep your information
secure on Twitter. You can reach out to our Office of Data Protection through
this form to request information regarding your account security.

Thanks, Twitter"

Edit: err, no, this appears to be something different still. Not a good week
for Twitter:
[https://news.ycombinator.com/item?id=21847198](https://news.ycombinator.com/item?id=21847198)

------
A4ET8a8uTh0
I see stuff like this and I keep wondering whether it is a bug or an
undocumented feature.

------
rootsudo
Similar bug was used maliciously by HK Police for identifying Telegram users.
Telegram now has an option for identification by number.

------
Can_Not
Very cool, also you can't use MFA authentication on Twitter without giving
them your phone number.

~~~
app4soft
> you can't use MFA authentication on Twitter without giving them your phone
> number.

GitHub also require MFA authentication since this year.

Does it mean that any MFA authentication now has same leaks?

~~~
tialaramex
No. But you should be concerned if you choose to give your phone number to
people, because if they know it they might leak it through any combination of
malice or incompetence.

Other than my banks, none of the systems I've enabled MFA for required a
telephone number.

That includes: Dropbox, GitHub, Slack, Facebook, Nintendo, Google, Login.gov
and the Digidentity.eu variant of Gov.uk Verify.

Everywhere it was possible I used my FIDO Security Keys which are phishing
proof, impractical to de-anonymise and foolproof because the site has no
secrets to leak. Whenever I hear that a site I already used MFA for gained
WebAuthn or U2F I go back and switch that site to Security Keys.

Everywhere else I used TOTP (Google Authenticator) which can be phished using
a live proxy and the site could leak their copy of your TOTP secret (not the
changing code, but the secret that drives it) but other than those two
concerns it's pretty safe. At least nobody can work out your real world
identity by knowing your TOTP secrets.

------
ENOTTY
So this is a different bug than the one Twitter cryptically e-mailed users
about. Cool cool

------
skinkestek
Cannot read it. I get lost in some "respect your privacy" nonsense.

------
FrozenVoid
When a website asks for a phone number i treat it as "please provide a DNA
sample and birth certificate in triplicate" and close the tab. Its ridiculous
to what ends consumers will go and accept as "privacy compromises". Hopefully
GDPR will make these practices costly enough.

------
wdb
Did they report this breach as required by GDPR rules in the EUR? I can't
imagine the GDPR rules don't reply to an American company when they are active
in the EU? Especially, if they have (do they?) a branch in EU like for ads
revenue or royalties to lessen the tax pay in Ireland or The Netherlands like
Uber

