Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
Generally what I see happening is apps will ask the user if it's okay, and only when the user says yes will they execute the necessary system call to request access. In iOS at least, if a user clicks No the app can never prompt for that permission ever again. Until the app makes this formal request to the operating system, it does not show up under privacy (as the app had never asked for it in the first place).
I would love a version of privacy.com for phone numbers..
A cell phone number does not equal your kitchen phone in terms of access to information. The whole this is moot. The issue now is that this is my personal phone number, me, personally, and is being used as a piece of validating information in a variety of compromises databases.
I used it at a summer job in the late 80’s. You could order reverse lookup books for anywhere you wanted, and of course could get that data electronically too. You could also call information for anywhere you could think of by dialing the area code plus 555-1212.
With the twitter leak millions of phone numbers/names are available for free instantly, and the technology to do some harm with them is readily available.
Phone numbers used to be really public. As in "Someone has collected your phone number, your address and family name and put it in this huge book they update every year. And they drop a copy of this book on everybody's porch.".
You could always ask your friend to relay a message right?
It's not like I had glimpsed someone's shoulders and wanted to cold call them to pitch them my startup idea of the week or creepily ask for a date (I remember it was to follow through with a conversation about DIY hydroponic with one and coffee brewing with another). Friend got tired of relaying messages at some point :). We rarely got to the point of giving out contact information on the moment though (that was the flow of those meetings and I think it's not a cultural thing to exchange business card in such settings in my country). Also, we are not the kind of people to hang on facebook, so discovery is weak.
Totally agree it is correct behaviour with strangers though.
And it was only a minor annoyance at some point so well... no biggie. (Except that time he divorced and he wouldn't give me his ex-wife's number so I could get back some DVD she had borrowed)
edit: also, I wouldn't ask for contact info if I wasn't confident that it was okay for the person to get a call from me and I am confident that my friend knows I won't mess up things by being inappropriate.
The message your friend could have relayed could have been “hey is it ok if I get your contact info?”.
What your friend isn’t getting right is that maybe you and his friends DO want to contact each other. He is deciding for both parties that they don’t. He could adjust his behaviour on that front a bit.
I've had several friends ask if it's okay to give out my contact information to third parties who were interested in acquiring this information to continue conversations through more private channels.
But there was always an element of consent involved on my part.
Is there a reason you do not ask those people for their contact information directly?
> I would love a version of privacy.com for phone numbers..
I've used google voice and twilio for something similar, though nowhere near as plug and play as a privacy.com-like solution.
As long as one of your friends or relatives has and accepts to upload their contact list (with your number included).
I don't share my contacts with any app, and I hate being asked again and again for every single new app. No means no.
The native prompts don't allow for app specific explanatory text to be presented. I haven't reviewed iOS guidelines, but Google provides guidance to inform users of why you're asking for permissions before you do it, and I would guess Apple would suggest the same as well. Pestering people for access once a day is probably not within the scope of the guidelines though.
Not true. iOS apps can specify explanatory text to be included in the native prompt. In fact they are required to do this, since at least two years ago.
The NSContactsUsageDescription string (in the Info.plist file) is the place to specify this.
There is no good reason for Apple to allow apps to mask permission requests with their own dialogs, it’s just a case of not bothering to fix this loophole.
Given the ramifications on leaking Name with phone number of people who didn't agree directly anything with Twitter and just had there contact details trawled by any of their friends signing up. Not good as with that, hijacking phone numbers has been done many ways and times, even the CEO of Twitter had that stunt pulled upon him. What with 2FA for many being a text message sent to your phone number. The ramifications of this could be bigger than they first appear and remember. They only found this, how long has this been open to such abuse. So anybody who had their phone number hijacked in X period of time, this `might` be a possible explanation in some of those instances.
Legally - no idea how this will pan out, but certainly not be the last we read about this.
We should also sue companies who continue to use SMS as part of their 2FA system and/or for account recovery.
I find it very weird to find, for example, my boss, or certain specific coworkers, on any social app. I don't want them to be able to find me either. This design decision of giving apps your entire contacts book by default has to die, and individual users need more choice instead.
If they are interested, then they'll find a way.
An app (such as whatsapp) getting access to all contacts is a valid use case, even though it doesn't apply to you.
I don't use Facebook nor Instagram, and I only use WhatsApp for 3 Android users, the rest of the people I talk to I use iMessage.
That appears to be impossible for WhatsApp on Android. Someone wanted me to install it a bit ago, I refused to give it access to my contacts and it refused to do anything else until I did.
So I deleted it and we used Signal instead.
Meanwhile the option remains available to use a different app that doesn't behave that way.
Your local Apple device has a messaging app (iMessage) that can see all the contacts on it.
iCloud puts contacts on Apple servers.
Any proof about this claim? I use Twitter on Android and web frequently and I only refuse such request once or twice.
Bottom line, it doesn't "ask again and again every day".
Now those collected and leaked phone numbers will be available not only to Twitter and US government but to anyone wishing to buy them from hackers.
If you made some agreement as to how your friend could use your phone number and 'sharing with Twitter' is a violation then you could sue them I suppose. Annoying as this data collection is, labeling information about you as only yours is incorrect, it's your friends and Twitters's (and Google/FB/AMZ/etc.) information too.
But I doubt there is much incentive to even create a legislative basis for such transgressions. Complicated topic to be fair, but we will only see improvements if there are severe penalties for "loosing" data. Since no system is safe, there is only the alternative left not to collect info you do not need.
To be clear, this applies to the Twitter app for iOS and Android, correct?
I exclusively use the Twitter web interface (even on my Android phone) and I have never been asked this.
Someone can just put batches of emails into their gmail account (e.g. journalists' public emails, their employees' emails, other suspects), then use the Twitter contacts-import functionality to import those emails and match them up with Twitter account handles. It's insane.
I first saw people explaining how to do this on Quora a year or two ago, but here's another explanation that was posted just a few days before this announcement: https://www.quora.com/How-228/answer/William-Boyd-181
Twitter MUST have known about this loophole for many years. It's nigh on impossible that they are that incompetent, so, as far as I can see, they were just ignoring the loophole because they didn't want to slow down their growth by removing the feature. As with all social networks, the most important factor in keeping users is to quickly get them a network of followers and followees.
> "People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.
This spokesperson is extremely sneaky. They completely neglect to mention that the "let others find me by email" is checked by default, and so we can only assume that anyone who has a publicly scrape-able email somewhere (basically everyone, because you've got to count all the leaked databases too - see: haveibeenpwned.com) has had their Twitter handle linked to that email. Atheist bloggers in Saudi Arabia, whistleblowers in the US, opposition activists in Russia, and so on - all potentially fucked over (past tense) by this.
And while I'm ranting: What's worse is that they apparently haven't disabled that API. They've just removed a few big crawler swarms. But the thing is, Russia / Saudi Arabia / etc. probably have narrowed their suspects down to 500 (or so) emails anyway, so they can discover the heretic/activist in a SINGLE API REQUEST! So Twitter has done nothing to fix this loophole.
In this thread : "How can it be possible to match emails and phone numbers to accounts?"
It's not a loophole, it's a feature.
It's in the TOS before you sign up : "Twitter also uses your contact information to market to you as your country’s laws allow, and to help others find your account if your settings permit, including through third-party services and client applications."
How can someone then not realize this is a possibility ? At what moment can someone start to even begin to think twitter is a safe place for endangered people ? It's an ad company, what do you expect really ?
But even as a techy person I was surprised by how easy it is for a random person to link millions of identities. And I'm obviously not alone given that this post made it to the front page. So when you say "what do you expect really?" - well, most people expect that a random person can't discover their email from their twitter handle. I think that's a completely fair expectation, and people should rightly be concerned about this "feature". Posts like this should be upvoted, because a lot of people aren't aware.
Your incredulity here tends to come across as "it's in the TOS, you're all pretty ignorant, I knew about this all along." which isn't all that helpful, even if it's all true.
> People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.
This is a bit disingenuous, given that you can't really open an account unless you provide a phone number to "verify" it.
Edit for clarification:
As gojomo said below (https://news.ycombinator.com/item?id=22233612) you may not need to provide it during sign-up, but your new account is almost immediately locked for "suspicious activity" and you need to provide a phone to unlock.
Microsoft does the same thing btw. Was really fun for a friend of mine who registered a Microsoft account for mixer, forgot about, bought Halo, needed an MS account to log in, thought hey I already have one, and instantly got locked out because it didn't have a phone number.
All 3 asked me for my phone number. It’s getting ridiculous
I wouldn't be surprised if there are 10s of millions of accounts without phone numbers associated with them.
I have a small network of legitimate accounts that they've suspended a few times. In this last round of suspensions, I can't reset any of them with my phone numbers any more.
So, no phone number is required.
So, Twitter is de facto requiring phone numbers on many more accounts than the initial sign-up flow might indicate – to the detriment of user privacy, & increasing the damage of compromises like this one.
I agree that Twitter using this to get people to give them PII those don't want Twitter to have, especially when Twitter aren't a good custodian of that PII is terrible, but it's not as though Twitter's other option (anybody can mint a thousand bogus Twitter followers with no pushback from Twitter) looks great either.
Third option: don't display follower counts.
I guess the future is to be given the middle finger so eagerly by bad ai all the time
And thus, Twitter more-or-less requires phone numbers from everyone. This increases the risk that Twitter's users will be "doxxed" – and even, when those users anger certain large violent organizations, the risk they'll be assassinated.
To add insult to injury I've been suspended permanently because Twitter's "offence" AI can't distinguish between black humour and a direct physical threat. But that's another story.
I cannot get Twitter to let me back in even though I can verify my email and phone SMS.
I didn't make a backup code because I assumed I could use email/SMS in this situation. It seems not.
So another smaller irony is that you cannot make valid use of your linked phone number that they nag you for.
I don't recall hearing about this option. I followed the link they helpfully included to see if I had it set.
I found that I DID have "Let people who have your phone number find you on Twitter" checked. But did NOT have "Let people who have your email address find you on Twitter" checked.
It's possible I actually chose that at some point, for some reason decided I was okay with "by phone number", but not "by email". But that doesn't sound like me, I'm wondering if I unchecked the "email address" one at some point when the "phone number" one didn't exist; then they later added the "phone number" one defaulted to on?
I am guessing they intend to default all of these to on (opt-out rather than opt-in), cause few people would take the trouble to go and opt-in even if they didn't mind or would like it.
But... you know. Anyway, I've unchecked both of them now.
I don't entirely understand the vulnerability, it sounds like it was "letting people who have your phone number find you on Twitter" just as advertised. "we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries." OK, so... you can't use the API to do that anymore, but can still use the twitter web app directly? I mean, it says right there you are letting people who know your phone number find you on twitter, which I would assume means find your account name.
It kind of sounds like they realized this whole feature was privacy-violating, or would be perceived as such, but they haven't gotten rid of the feature... I'm confused what they considered the vulnerability and what they changed or didn't, and to what extent usernames and phone numbers can still be matched by a third party on twitter.
I looked at mine, which I'm sure I've never touched before because I never cared about Twitter settings. As with my Facebook account, my Twitter account was mostly just created to get an acceptable name in case someday I actually wanted a serious social media presence.
Both are unchecked. The account was created in early 2008.
Both require authentication (although new court rulings may technically be outlawing all charging and quotas for APIs!)
But the API has far more permissive bulk actions. Of course, with a botnet and enough time and effort one could execute a sybil attack to circumvent any per-account quotas, and use per-resource quotas to launch a DDOS attack on some resource to any non-authenticated parties.
I wish there was - service to prevent sybil attacks somehow. Just make it exponentially more expensive to create multiple identities / accounts on networks. Has anyone got links to papers or projects or anything in that direction? It would be hugely valuable.
PS: Twitter and other startups don’t particularly care about sybil attacks and fake users when they are growing, it helps them “innocently” report great user numbers to VCs. So they don’t spend much effort preventing sleeper bots from joining in the network’s growth phase.
Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?
It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.
That seems quite hard to believe. Do you have a link?
That link isn't about APIs, isn't about outlawing charging or quotas, and appears to just be about a preliminary injuction rather than a generally applicable ruling. So I'd argue that it doesn't in any way support your initial claim.
Good thing they SUSPENDED those accounts! /s
I found the original notice from twitter  easier to understand (maybe change the URL of this post?) and it does not speak about a bug. Twitter did implement a change so that the attack cannot be done anymore though.
I did not understand the fix itself, it seems the API cannot be used for its intended use anymore?
It doesn't do anything against a targeted attack against someone who has chosen to be discoverable. That's just how search/discovery is intended to work.
* if someone has my phone number in their phonebook and gives it to Twitter - it becomes our data.
Can someone explain this to me please? Are "state-sponsored hackers" this foolish to use the same IP addresses as previous, known IP's used in hacks?
Or is this just the current "because terrorism / because pedophiles" used to cover incompetence?
I don't get it...
There's no equivalent to DNA testing, but sometimes you can have pretty high confidence in an attribution. To be clear, this goes incredibly far beyond looking at IP address geolocation or whatever. That's less than 1% of what you're looking at. That'd be like police assuming a death threat was signed with someone's real name.
There's no way of knowing exactly what they identified or how they did it or if they got it right. I wish more companies would release such information and how they conducted the entire analysis (some do), though I understand that may not be possible due to legal and counter-intelligence reasons.
Combine that with the story that the Saudi's had infiltrated twitter and were spying on users, especially in light of how they treat their opponents (Kashoggi), when do we stop supporting companies that do these obviously poor practices?
Well, you just indicated you chose to continue supporting this company with the poor practice above. What would make you switch away from them? Clearly the spam calls weren't enough.
Since the spam calls and the phone link in though, I have already changed my twitter-name and lost all followers, and since then I pretty much stopped tweeting. Haven't logged in in at least a month now.
The main problem with adoption of an alternative is that I was using it to keep up with the kinds of people that aren't necessarily going to move to an alternative until it reaches some sort of critical mass. My RSS feeds are already full enough without having to add a bunch of random single person blogs to keep up with, so I'm not sure to be honest. Twitter was my main compromise to stay more socially connected with a wider array of people and it's hard to let go of that.
Despite my desire for good federated and open source social networking, it isn't quite there yet, and so for the time being the one social outlet alternative I see glimmers of hope in is WT.Social.
We get these threads a lot here. “Company X charged me for something they didn’t deliver and ripped me off!” So report fraud through your credit card and charge it back. “Bbbbut then they’ll ban me!”
Your frankness is appreciated though, there is some truth there.
Not that I use twitter; people who get on the thing seem to have some bizarro Stockholm syndrome.
I mean, I guess that's been public knowledge already that they serve there, but the overwhelming majority of public companies block the IP space of every country on the embargo list.
I'd think that serving Iran right now would be fairly politically untenable
Twitter's data collection/friend matching feature used an API endpoint that returned usernames given phone numbers. A security researcher exposed it publicly, Twitter patched it (to just return a token or something). Twitter investigated and just released their findings "out of an abundance of caution and as a matter of principle." that it's clearly been "exploited" many times in the past. Twitter probably charges for the data returned by this "exploit". It doesn't look like the settings offered stop Twitter from selling this "exploit" as a service for "promotional" content.
It's seems strange not care that Twitter sells your username but care they also accidently gave it out for free in the past.
Some amount of liability on Twitter’s part in this is palpable, but this is also a criminal act on the part of the attacker who should accordingly be brought to justice, or at least an attempt should be made to do so.
If this is happening with law enforcement agencies then I feel like tech companies usually say so. Twitter’s statement says they are “releasing the details” but there’s no mention of law enforcement or state department involvement.
If the press release is meant to achieve this engagement publicly, then there are no actual “details” in it for example, no link to a list of IP addresses, twitter accounts, and times at which the endpoint was accessed!
Thats a bit flippant of course but perhaps there is actually a way they could have released some of those details: ASNs, days of the attack, some other aggregation?
In any case, some reassurance from Twitter that this is being followed up on by a government agency would be good to see.
From 2 months ago:
>Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven.
Here is what Doubi's online followers figured:
>State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.
>Twitter haphazardly closed the breach in complete secrecy.
>API hole explanation is excluded as people with 100% private accs got police visits.
>People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.
>2016 breach is also out of question.
>The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.
Would help a lot with global mobility.
That was slightly different, since at that time the only information we had that this unethical "security researcher" had exploited the bug for months on billions of phone numbers and only disclosed it once Twitter blocked them.
This announcement is different in that Twitter appear to be saying that this was being abused by other actors as well.
Does anyone know what this actually means? If the contact discovery API doesn't return a username, what does it do? If the answer is that it returns a user ID now instead of username, then presumably that can then be freely queried for the corresponding username..
I think it's kind of funny that they are so draconian with hobbyists and people making toys, but that any motivated bad actor can probably access most of the same endpoints and services by virtue of the fact that they have to be accessible for people to use Twitter.
A much more privacy-respecting method would be to only allow lookups if both parties have each other added.
All twitter users "agreed" to it when they created their account (via the legal fiction that humans read and agree to terms of service)
Obviously this is morally abhorrent, but in the US the laws are written to protect large corporations like Twitter, not their victims.
It's probably textbook risk analysis lingo, an impact is measurable but an affect is not.
Usually an impact scale is created to define what impact level 5 would involve versus impact 1. It's still arbitrary but more configurable than affect.
Just my two cents, no guarantee.
It's public information.
Do you want to sue the phone telcos for publishing the phone book?
I might call you and check- and check for VOIP numbers, too, so no fakes.
Ah yes, continuing the fiction that anyone who uses a VoIP service must be a fraudster with a faked phone number.
Just another in the long list of if you are not using Google or Microsoft e-mail and AT&T or Verizon or T-Mobile or Sprint postpaid mobile phone service, you're obviously up to no good and deserve whatever "anti-fraud" you get.
No, it isn't.
If I find out your phone number, "stuff4ben", then I know who "stuff4ben" really is.
People have been missing this for a LONG time now. Phone numbers are the unique identifier, especially with portability.
You can use 50 different usernames across 50 different sites but with that phone number, I know they are all you.
Which I can then link up to the 1,000 other sites you use those 50 usernames on without providing your phone number, and it's still likely you.
The NSA's database must be very interesting out at the Utah Data Center. This is how it all works, because you can mask your IP address using Tor but you can't mask any of that unless you've taken very careful steps along the entire history of your internet usage, from the start.
I have a pretty unique name, you can search my first name + "voter registration" and get my address, phone number, and birthdate
Even if my name was common, it'd still be out there
A lot of people are not aware of the fact this information is all public
Besides, weren’t the people who had opted out from the “Let people who have your phone number find you on Twitter” unaffected by this?
Two-factor authentication is a dumb solution to a real problem. The problem should be properly solved, rather than hacked around with stupid solutions like "sending notifications to accounts that can easily be spoofed by willful actors".
SMS Two-factor authentication is a dumb solution. Actual two-factor authentication like FIDO U2F tokens is a better solution. Even TOTP is better than SMS auth.
BTW, you bank account number is the same way if you write checks.
So they're not private in the way that some data (like health information) that you're only going to share very selectively is private. But it's mostly not public in the sense that you'll likely put it online unless maybe it's a business phone.
You wouldn't type your number into a HN comment, would you? Probably not because you know exactly what would happen.
It's playing on words until you find out the PII definition isn't the one that's used to settle GDPR claims.
Parent post insisted on the acronym, that triggered my consistency response reflex.