Hacker News new | past | comments | ask | show | jobs | submit login
Twitter says an attacker used its API to match usernames to phone numbers (zdnet.com)
367 points by spzx on Feb 5, 2020 | hide | past | favorite | 231 comments

What happened: Twitter asks users on sign up to scan their contacts (read: steal and upload them). If you say no, twitter asks again and again every day / every login until you finally allow it to. Twitter builds a huge and unnecessary db of users and phone numbers, as well as non-users IDs tied to phone numbers. Someone uses an API to steal this info that in most cases twitter only collected by tricking their users / forcing it.

Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.

A trick I found to stop this nonsense is, at least on iOS, answer yes to the Application's custom dialog to ask permission. This will then invoke the iOS security dialog where you can click "No" and never be asked again.

Generally what I see happening is apps will ask the user if it's okay, and only when the user says yes will they execute the necessary system call to request access. In iOS at least, if a user clicks No the app can never prompt for that permission ever again. Until the app makes this formal request to the operating system, it does not show up under privacy (as the app had never asked for it in the first place).

Your friends/family probably won’t do this, so your phone number is going to be shared with Twitter anyways.

Well then the obvious solution is to start treating phone numbers as you would an email address - effectively public.

I would love a version of privacy.com for phone numbers..

Start? It wasn't that long ago that the phone company published a book with near everyone's phone number in it.

There was no book with everyone's phone number in it. There were many books that covered small regions. If you lived in Oshkosh Wisconsin and wanted the number for someone in Kansas City, or even Madison Wisconsin it wasn't that easy to get that book. Maybe your library had it. Phone numbers on paper aren't that useful. You can't robodial a paper phone book without hiring actual people. But no matter what you couldn't get millions of phone numbers while sitting on your couch, and if you could they would be useless because they were all on paper.

The books were hard to get, but directory assistance did exist if you called the operator.

I'll bet there are quite a few people on HN that have never dialed 411 or 1-<area-code>-555-1212.

None of that let you treat your phone number as anything other than public.

I mean we realize this thread of argument has nothing to do with the point right?

A cell phone number does not equal your kitchen phone in terms of access to information. The whole this is moot. The issue now is that this is my personal phone number, me, personally, and is being used as a piece of validating information in a variety of compromises databases.

This just isn’t true. Ever heard of the Haines Directory?

I used it at a summer job in the late 80’s. You could order reverse lookup books for anywhere you wanted, and of course could get that data electronically too. You could also call information for anywhere you could think of by dialing the area code plus 555-1212.

Never heard of it, but how much did it cost? How much did the reverse lookups cost? And even if you could get it electronically there was no way practical way to do much with them.

With the twitter leak millions of phone numbers/names are available for free instantly, and the technology to do some harm with them is readily available.

In my country it is voluntary to be listed in such a phonebook whereas with already a small number of friends the chances approach 100% that at least one of them has my contact info stolen by Twitter, FB, WA, etc. If i dont like this i would have to stop giving out numbers and not be reachable by sms/call.

I have a friend of mine who flat out refuses to give email address or any contact info of the people I meet at his house. It has been a bit annoying one time or two.

Phone numbers used to be really public. As in "Someone has collected your phone number, your address and family name and put it in this huge book they update every year. And they drop a copy of this book on everybody's porch.".

This is completely correct behaviour if you ask me. So you met me at someone's house, so what, it gives you the right to contact me?

You could always ask your friend to relay a message right?

These people I have been seeing them at his house on numerous occasions, we are on a first name basis and open jokes.

It's not like I had glimpsed someone's shoulders and wanted to cold call them to pitch them my startup idea of the week or creepily ask for a date (I remember it was to follow through with a conversation about DIY hydroponic with one and coffee brewing with another). Friend got tired of relaying messages at some point :). We rarely got to the point of giving out contact information on the moment though (that was the flow of those meetings and I think it's not a cultural thing to exchange business card in such settings in my country). Also, we are not the kind of people to hang on facebook, so discovery is weak.

Totally agree it is correct behaviour with strangers though.

And it was only a minor annoyance at some point so well... no biggie. (Except that time he divorced and he wouldn't give me his ex-wife's number so I could get back some DVD she had borrowed)

edit: also, I wouldn't ask for contact info if I wasn't confident that it was okay for the person to get a call from me and I am confident that my friend knows I won't mess up things by being inappropriate.

I see where you are coming from. I just meant as a general rule it is better to not give out people’s information.

The message your friend could have relayed could have been “hey is it ok if I get your contact info?”.

What your friend isn’t getting right is that maybe you and his friends DO want to contact each other. He is deciding for both parties that they don’t. He could adjust his behaviour on that front a bit.

Why not just ask the people directly for their contact information? Or vice versa ask your friend to ask them if it's okay to hand out your contact information?

I've had several friends ask if it's okay to give out my contact information to third parties who were interested in acquiring this information to continue conversations through more private channels.

But there was always an element of consent involved on my part.

> I have a friend of mine who flat out refuses to give email address or any contact info of the people I meet at his house.

Is there a reason you do not ask those people for their contact information directly?

> Well then the obvious solution is to start treating phone numbers as you would an email address - effectively public.

> I would love a version of privacy.com for phone numbers..

I've used google voice and twilio for something similar, though nowhere near as plug and play as a privacy.com-like solution.

I wish there was an easy way to effectively only allow white listed callers to call you directly (and the rest of the calls to go to voice mail). That's what I do with my email at least.

You might find this interesting: https://phoneprivacy.co/

I get nuisance phone calls all the time, it is a lot more disruptive than nuisance emails.

Unless you have no Twitter account.

That doesn't matter.

As long as one of your friends or relatives has and accepts to upload their contact list (with your number included).

Note this trick is also generalizable to apps/websites asking for notification permissions.

Ideally, iOS would have an option to say "always deny Contacts access and never bring up a dialog again".

I don't share my contacts with any app, and I hate being asked again and again for every single new app. No means no.

Actually for most things in iOS, once the system dialog has been brought up, the operating system won't allow it to be brought up again. It won't stop the application in question from nagging you, but at least then even if you click "allow" on the application pop-up the system will still require you to go into the app permissions and explicitly allow it.

That's exactly what iOS does, the app is making a fake system popup to ask multiple times and only brings you the real system popup if you agreed to the first one.

What does Apple allow that for App Store apls? That's obvious circumvention of iOS's privacy control regime.

My post below is wrong, please move along. Keeping as-is, so the replies make sense. Thanks repliers!

The native prompts don't allow for app specific explanatory text to be presented. I haven't reviewed iOS guidelines, but Google provides guidance to inform users of why you're asking for permissions before you do it, and I would guess Apple would suggest the same as well. Pestering people for access once a day is probably not within the scope of the guidelines though.

> The native prompts don't allow for app specific explanatory text to be presented

Not true. iOS apps can specify explanatory text to be included in the native prompt. In fact they are required to do this, since at least two years ago.

The NSContactsUsageDescription string (in the Info.plist file) is the place to specify this.


Incorrect, iOS does allow explanatory text on the system prompt, in fact it’s required.

There is no good reason for Apple to allow apps to mask permission requests with their own dialogs, it’s just a case of not bothering to fix this loophole.

Why do people keep saying clearly wrong stuff. You sound like you know what you are talking about, but are 100% wrong.

I've had apps ask me to go to system settings myself to enable some permissions because I've disabled it via the said OS prompt.

Similar to being asked "do you like this app?" If you say "Yes", you are directed to rate it, if "No", you are not.

this worked for me also.

>Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.

Given the ramifications on leaking Name with phone number of people who didn't agree directly anything with Twitter and just had there contact details trawled by any of their friends signing up. Not good as with that, hijacking phone numbers has been done many ways and times, even the CEO of Twitter had that stunt pulled upon him. What with 2FA for many being a text message sent to your phone number. The ramifications of this could be bigger than they first appear and remember. They only found this, how long has this been open to such abuse. So anybody who had their phone number hijacked in X period of time, this `might` be a possible explanation in some of those instances.

Legally - no idea how this will pan out, but certainly not be the last we read about this.

> What with 2FA for many being a text message sent to your phone number

We should also sue companies who continue to use SMS as part of their 2FA system and/or for account recovery.

You can also match phone numbers and Instagram accounts

Apple could nip this in the bud: don’t allow apps to read a full contact list at all. Use a contact picker when needed.

This certainly would break plenty of valid use cases for a feature like this. More likely they ought to have policy in their developer docs to scope reasonable uses of the full contact list and start rejecting updates for applications that violate the new rule.

What's a valid use case for being able to read all contacts vs asking the user for a specific contact selection and choosing to approve sharing it?

Any application whose primary concern is something with contact lists. Maybe it offers a special view into it. Maybe special searches. Maybe a better management interface.

An alternate phone or texting app

I can't imagine it would be difficult to implement a "Select All Contacts" functionality, in addition to selecting individual contacts and/or selecting all then deselecting some. Automatically allowing access to future contacts also shouldn't be difficult. There is no need for apps to always have access to all contacts.

I’m not sure how that would be functionally different than the current situation. Instead, simply regulating how contacts are allowed to be used would remove the need to build a logically complex system, and since Apple already reviews every app submission it would just be one more thing for a reviewer to check.

How will apps like Whatsapp work then?

I don't give WhatsApp access to my contacts. Few enough people in my life use it, and they all have different profile pictures.

I find it very weird to find, for example, my boss, or certain specific coworkers, on any social app. I don't want them to be able to find me either. This design decision of giving apps your entire contacts book by default has to die, and individual users need more choice instead.

Whatsapp has 1.5B MAU. I don't think people are interested in adding each and everyone manually. I want to know how that would work for majority of those people and not you personally.

> I don't think people are interested in adding each and everyone manually.

If they are interested, then they'll find a way.

That's great for you, but whatsapp is de facto standard messaging app in a lot of countries. Memorizing hundred numbers, or profile pictures (assuming that everyone has one) is just not feasible.

An app (such as whatsapp) getting access to all contacts is a valid use case, even though it doesn't apply to you.

And sadly for him, it doesn't matter anyway, presumably most if not all his friends already uploaded their address books, so WhatsApp already knows his real name and phone number and network of friends...

No. When you want to chat with a new person, WA just needs the contact of that single person.

I use WhatsApp without allowing them access to my contacts. I have to just add people's numbers manually and I have to memorize who is who based on # and profile picture (thankfully the people I talk to with WhatsApp all have different area codes).

I don't use Facebook nor Instagram, and I only use WhatsApp for 3 Android users, the rest of the people I talk to I use iMessage.

> I use WhatsApp without allowing them access to my contacts.

That appears to be impossible for WhatsApp on Android. Someone wanted me to install it a bit ago, I refused to give it access to my contacts and it refused to do anything else until I did.

So I deleted it and we used Signal instead.

It is possible on Android, but if you do, you can't initiate any conversation - the remote party has to speak first.

We did try that and it supposedly claimed to the other party that I didn't have the app installed. Not that that would have been a scalable solution anyway, since then no pair of people could use it unless one of them gave it all their contacts.

Meanwhile the option remains available to use a different app that doesn't behave that way.

So why should iMessage get all of your contacts by default?

I made the choice for Apple to have my contacts by buying an iPhone. If I didn't want Apple to have my contacts (as I do not want Google or Facebook to have mine) I would have not bought an iPhone.

Personally, I made the choice for Apple NOT to have my contacts (by entirely disabling iCloud). The only company I accept handling my contacts is the one I paid (Fastmail).

Apple doesn’t get all your contacts.

Your local Apple device has a messaging app (iMessage) that can see all the contacts on it.

iCloud puts contacts on Apple servers.

Yes, you sound like a very typical whatsapp user, I can see how whatsapp could work fine without contacts access, since most users are like you. 3 total contacts, all with different area codes -- very typical, I don't know why whatsapp even asks for contact access, probably something nefarious.

> If you say no, twitter asks again and again every day / every login until you finally allow it to.

Any proof about this claim? I use Twitter on Android and web frequently and I only refuse such request once or twice.

Bottom line, it doesn't "ask again and again every day".

Consider yourself lucky, any account i create without a phone is immediately flagged\blocked and if i do use mine(personal), i get asked to add permissions like the parent said every single time.

Account associated with a phone number is totally different from "scan your contacts".

I've been using Twitter daily pretty much continuously since 2008 and I don't remember ever being prompted to upload contacts. I can believe it has happened at some point, but it certainly doesn't repeatedly ask me. I use the web interface and the first-party iOS app (though over the years I have also used various third-party apps on both iOS and macOS).

If you use the web client, they have a header that asks for your phone number repeatedly until you give it.

OP was talking about "Twitter asks to scan your contacts", not to add a phone number.

That's not the only way Twitter uses to collect phone numbers. It can arbitrarily block your account and require to confirm a phone number to unblock it (under excuse of "better security"). How disclosing your phone number helps being safer I don't understand.

Now those collected and leaked phone numbers will be available not only to Twitter and US government but to anyone wishing to buy them from hackers.

>Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.

If you made some agreement as to how your friend could use your phone number and 'sharing with Twitter' is a violation then you could sue them I suppose. Annoying as this data collection is, labeling information about you as only yours is incorrect, it's your friends and Twitters's (and Google/FB/AMZ/etc.) information too.

Twitter should be seen as an asylum if you ask me. But yes, if they leaked numbers from third parties not involved in Twitter at all, there should be severe legal consequences.

But I doubt there is much incentive to even create a legislative basis for such transgressions. Complicated topic to be fair, but we will only see improvements if there are severe penalties for "loosing" data. Since no system is safe, there is only the alternative left not to collect info you do not need.

It's for this reason that I use PWAs wherever possible. Right now I'm using it for Twitter and Uber. Tired of turning off permissions and then having to do it again when apps auto-update and restore the original permissions.

> Twitter asks users on sign up to scan their contacts

To be clear, this applies to the Twitter app for iOS and Android, correct?

I exclusively use the Twitter web interface (even on my Android phone) and I have never been asked this.

I just quit when they finally said I had to to log in.

In some countries (including mine), all sim cards/phone numbers are registered to an individual, so this is a pretty big deal.

Twitter has never asked to access my contacts before. Where are you seeing this?

I think they’re selecting target demographic to do this, because for e.g. Japanese it means having Twitter account associated with their real names means they’ll be laughed at from everyone close to(maybe 25% literal) death. Same for follow suggestions based on IP.

Yes, totally. Thieving from a thief logic applies here.

Quick & dirty fix: never use built-in/default apps for storing contacts list on your devices.

I was amazed when I found out about this "trick" a year or two ago. It basically means that if you've used your personal email or phone number to create an "anonymous" twitter handle (e.g. a whistleblower, leaker, etc.), then it's not anonymous at all.

Someone can just put batches of emails into their gmail account (e.g. journalists' public emails, their employees' emails, other suspects), then use the Twitter contacts-import functionality to import those emails and match them up with Twitter account handles. It's insane.

I first saw people explaining how to do this on Quora a year or two ago, but here's another explanation that was posted just a few days before this announcement: https://www.quora.com/How-228/answer/William-Boyd-181

Twitter MUST have known about this loophole for many years. It's nigh on impossible that they are that incompetent, so, as far as I can see, they were just ignoring the loophole because they didn't want to slow down their growth by removing the feature. As with all social networks, the most important factor in keeping users is to quickly get them a network of followers and followees.


> "People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.

This spokesperson is extremely sneaky. They completely neglect to mention that the "let others find me by email" is checked by default, and so we can only assume that anyone who has a publicly scrape-able email somewhere (basically everyone, because you've got to count all the leaked databases too - see: haveibeenpwned.com) has had their Twitter handle linked to that email. Atheist bloggers in Saudi Arabia, whistleblowers in the US, opposition activists in Russia, and so on - all potentially fucked over (past tense) by this.

And while I'm ranting: What's worse is that they apparently haven't disabled that API. They've just removed a few big crawler swarms. But the thing is, Russia / Saudi Arabia / etc. probably have narrowed their suspects down to 500 (or so) emails anyway, so they can discover the heretic/activist in a SINGLE API REQUEST! So Twitter has done nothing to fix this loophole.

Yes this is the thing everyone should be talking about. Think of any of the bigger Twitter posters on Hong Kong. If anyone of the ring leaders didn't decouple their twitter handle from everything else they will have a giant bullseye painted on them by CCP

The first thing twitter proposes when you create an account : "Do you want to match emails and phone numbers to account".

In this thread : "How can it be possible to match emails and phone numbers to accounts?"

It's not a loophole, it's a feature.

It's in the TOS before you sign up : "Twitter also uses your contact information to market to you as your country’s laws allow, and to help others find your account if your settings permit, including through third-party services and client applications."

How can someone then not realize this is a possibility ? At what moment can someone start to even begin to think twitter is a safe place for endangered people ? It's an ad company, what do you expect really ?

The fact that you're citing the TOS is not exactly helping your case, since it's well known that basically no one reads those. I'm not as concerned about techy people as I am about the average person's understanding of their identity privacy on Twitter.

But even as a techy person I was surprised by how easy it is for a random person to link millions of identities. And I'm obviously not alone given that this post made it to the front page. So when you say "what do you expect really?" - well, most people expect that a random person can't discover their email from their twitter handle. I think that's a completely fair expectation, and people should rightly be concerned about this "feature". Posts like this should be upvoted, because a lot of people aren't aware.

Your incredulity here tends to come across as "it's in the TOS, you're all pretty ignorant, I knew about this all along." which isn't all that helpful, even if it's all true.

We need to nationalize Twitter & FB & Google, so we can get some decent privacy options. Without this, it will be impossible for us to secure friends and family we care about. Sure nerds can secure things themselves, but that's totally insufficient. Until then, things will only get worse.

From Twitter's statement:

> People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.

This is a bit disingenuous, given that you can't really open an account unless you provide a phone number to "verify" it.

Edit for clarification:

As gojomo said below (https://news.ycombinator.com/item?id=22233612) you may not need to provide it during sign-up, but your new account is almost immediately locked for "suspicious activity" and you need to provide a phone to unlock.

The whole phone number thingy for added security 2 factor auth has been quite the scam.

Why wouldn't you though, that's gotta be pretty juicy data. You can compare phone numbers across so many different databases now, makes profile creation 10x more efficient. Not really surprising that everyone wants your phone number badly these days.

Microsoft does the same thing btw. Was really fun for a friend of mine who registered a Microsoft account for mixer, forgot about, bought Halo, needed an MS account to log in, thought hey I already have one, and instantly got locked out because it didn't have a phone number.

I bought a dress, a cookie, and a book yesterday from a mall in India.

All 3 asked me for my phone number. It’s getting ridiculous

India is just ridiculous in this regard. Recently, there's some app at security gates at the entrance of apartments that asks for phone numbers. It's strange that one needs a phone number to visit my friend.

Context for others, the app is likely https://mygate.com/

Do you put your real number in for those kinds of purchase? I generally just put in a random 800- number.

I just say "No, thanks" with a smile.

I went to the apple store to buy a router. It took me involving the manager before the guy let me pay without leaving my name and address.

Doesn't India link phone numbers to bank accounts?

As I've understood it, it's more like you can charge (some things) to your phone bill. Like buying ringtones/apps for 00's phones, but not just phone-related purchases.

lonelappde is right. All bank accounts in India must(?) have a registered phone number associated with them. This was primarily done to ensure SMS transactional alerts, but has escalated to all sorts of usecases now (including the enforced regulated way of doing 2FA).

Having something as personal as a phone number should be seen as a liability, not an asset.

It's for anti-spam. Preventing people from generating millions of free accounts is valuable.

It's batshit crazy. But the PR campaigns/marketing by the companies that want your phone number for other reasons seems to have worked.

That might be the case now, but twitter didn't always require them.

I wouldn't be surprised if there are 10s of millions of accounts without phone numbers associated with them.

They "requested" my phone number after the fact. And by "requested" I mean I wasn't exactly given a choice. I wasn't able to access my account until I provided a number. Of course all this was for "security" reasons. Personally I'd prefer to use Google authenticator anyway.

I feel as if one of the many elephants being overlooked here is how 'security' is being abused to further data collection. When an account gets locked now, I don't think it is for actual security, but to increase data collection. Tragedy of the commons being exploited by major websites. The same ones which also want to hold themselves as the arbiter of truth (or at least as one of the Arbiter's official spokesmen).

Does this vulnerability affect people who added a phone number but then removed them? Last time I tried, this method was effective for getting around the "suspicious activity" lock.

Even if you disconnect the number, they still keep it on file.

I have a small network of legitimate accounts that they've suspended a few times. In this last round of suspensions, I can't reset any of them with my phone numbers any more.

No, it wouldn't work. It only works if people can discover you with the "find people you know from your address book" feature. A deleted number won't match. Or you can just turn it off in your discoverability settings.

Instead of providing a phone number you can also email support and complain about the account lock. But yeah, it's a pretty scummy bait and switch behavior.

I personally tried this. Pregnant silence.

I had to send at least six emails to get this to work. Six.

My account was locked, I never sent a single tweet or even followed anyone, just refused to provide them more information about myself.

Same, looks like twitter just locks any account that isn't active enough for some reason.

So people don't generate thousands of accounts then sit on them until they want to spam with legit-looking seven year old accounts.

Indeed: using email based sign up usually immediately triggers a suspension. It can take as little as a few minutes.

I just checked the twitter signup form, which does have a phone input. But there's a toggle saying "use email instead".

So, no phone number is required.

New accounts without an associated phone number tend to face a lock & challenge, for "suspicious activity" (even if they've never posted), which can only be reversed by adding a phone number.

So, Twitter is de facto requiring phone numbers on many more accounts than the initial sign-up flow might indicate – to the detriment of user privacy, & increasing the damage of compromises like this one.

Note that activities which are potentially suspicious aren't just about posting, it includes following people, because that makes their follower count go up, and the whole point of displaying that count is most people want to appear popular - and so of course people create bogus followers.

I agree that Twitter using this to get people to give them PII those don't want Twitter to have, especially when Twitter aren't a good custodian of that PII is terrible, but it's not as though Twitter's other option (anybody can mint a thousand bogus Twitter followers with no pushback from Twitter) looks great either.

> I agree that Twitter using this to get people to give them PII those don't want Twitter to have, especially when Twitter aren't a good custodian of that PII is terrible, but it's not as though Twitter's other option (anybody can mint a thousand bogus Twitter followers with no pushback from Twitter) looks great either.

Third option: don't display follower counts.

Hiding counts makes it hard to identify imposter accounts and bots. Users need to be able to see account age and counts at a minimum.

I never used twitter until last year when I made an account. They flagged me for following 5 people and liking some posts, locked me out, and notified me that any attempts to send support a request would be ignored. I can’t even log in or contact anyone to delete the account.

I guess the future is to be given the middle finger so eagerly by bad ai all the time

If using the application for its intended purpose makes your account seem not-human, just who or what did they design the application for?

For entities whose behavior fit their model, it's called negative selection[1], a mandatory attribute of emerging dictatorship.

[1] https://en.wikipedia.org/wiki/Negative_selection_(politics)

Yes, Twitter now considers everything "suspicious", including the minimal steps required to use Twitter as a logged-in account at all, like "following people" (even just a few).

And thus, Twitter more-or-less requires phone numbers from everyone. This increases the risk that Twitter's users will be "doxxed" – and even, when those users anger certain large violent organizations, the risk they'll be assassinated.

My account (created without entering a phone number) was locked immediately after logging in the first time, from the same IP I signed up with, without performing any actions. This was over 12 months ago.

They let you create an account without a phone number, and immediately afterwards lock the account until you provide one, for alleged "suspicious activity".

Try it.

Can confirm this. Tried to set up a new Twitter account for business use, got the phone number challenge but wasn't able to go any further because the number I wanted to use was "already in use" i.e. my own number I already stupidly associated with my personal twitter account.

To add insult to injury I've been suspended permanently because Twitter's "offence" AI can't distinguish between black humour and a direct physical threat. But that's another story.

The same thing happened to me. But I was somehow able to create a new account on Microsoft Edge. It hasn't been disabled, but I don't plan to use it. If they want to kill their own business, I say let them.

They insta-banned two new accounts from me (for side-projects) after I entered my phone-number which was associated with my personal account. They went from a no-law-free-spam zone to shoot-first-and-don't-ask-later.

Disagree. If you make a Twitter account and then use it without a phone number it will quickly be locked to force you to prove you're human. It took less than 3 hours for mine. They want my phone number to unlock it enough to delete the account. No way.

The deepest irony of all this is that they require phone numbers to verify accounts, which should cut down on fake accounts, yet they had a large amount of fake accounts using this very feature, which means verifying with a phone number may not be super effective anyway...

I factory reset my phone so my lost my gauth 2fa for Twitter. I'm locked out now.

I cannot get Twitter to let me back in even though I can verify my email and phone SMS.

I didn't make a backup code because I assumed I could use email/SMS in this situation. It seems not.

So another smaller irony is that you cannot make valid use of your linked phone number that they nag you for.

> The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.

I don't recall hearing about this option. I followed the link they helpfully included[1] to see if I had it set.

I found that I DID have "Let people who have your phone number find you on Twitter" checked. But did NOT have "Let people who have your email address find you on Twitter" checked.

It's possible I actually chose that at some point, for some reason decided I was okay with "by phone number", but not "by email". But that doesn't sound like me, I'm wondering if I unchecked the "email address" one at some point when the "phone number" one didn't exist; then they later added the "phone number" one defaulted to on?

I am guessing they intend to default all of these to on (opt-out rather than opt-in), cause few people would take the trouble to go and opt-in even if they didn't mind or would like it.

But... you know. Anyway, I've unchecked both of them now.

I don't entirely understand the vulnerability, it sounds like it was "letting people who have your phone number find you on Twitter" just as advertised. "we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries." OK, so... you can't use the API to do that anymore, but can still use the twitter web app directly? I mean, it says right there you are letting people who know your phone number find you on twitter, which I would assume means find your account name.

It kind of sounds like they realized this whole feature was privacy-violating, or would be perceived as such, but they haven't gotten rid of the feature... I'm confused what they considered the vulnerability and what they changed or didn't, and to what extent usernames and phone numbers can still be matched by a third party on twitter.

[1]: https://twitter.com/settings/contacts

> It's possible I actually chose that at some point, for some reason decided I was okay with "by phone number", but not "by email". But that doesn't sound like me, I'm wondering if I unchecked the "email address" one at some point when the "phone number" one didn't exist; then they later added the "phone number" one defaulted to on?

I looked at mine, which I'm sure I've never touched before because I never cared about Twitter settings. As with my Facebook account, my Twitter account was mostly just created to get an acceptable name in case someday I actually wanted a serious social media presence.

Both are unchecked. The account was created in early 2008.

yeah, same. account created in oct 2007, never checked and i have everything turned off.

also unchecked,and i have my phone number there.

If you’re in the EU they were likely disabled in 2018 as part of the GDPR prompt.

Honestly, there is a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.

Both require authentication (although new court rulings may technically be outlawing all charging and quotas for APIs!)

But the API has far more permissive bulk actions. Of course, with a botnet and enough time and effort one could execute a sybil attack to circumvent any per-account quotas, and use per-resource quotas to launch a DDOS attack on some resource to any non-authenticated parties.

I wish there was - service to prevent sybil attacks somehow. Just make it exponentially more expensive to create multiple identities / accounts on networks. Has anyone got links to papers or projects or anything in that direction? It would be hugely valuable.

PS: Twitter and other startups don’t particularly care about sybil attacks and fake users when they are growing, it helps them “innocently” report great user numbers to VCs. So they don’t spend much effort preventing sleeper bots from joining in the network’s growth phase.

> a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.

Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?

It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.

> (although new court rulings may technically be outlawing all charging and quotas for APIs!)

That seems quite hard to believe. Do you have a link?


That link isn't about APIs, isn't about outlawing charging or quotas, and appears to just be about a preliminary injuction rather than a generally applicable ruling. So I'd argue that it doesn't in any way support your initial claim.

You can also delete your phone number completely - there's no real reason for Twitter to have it, especially now that it's not required for 2fa.

You will receive account suspensions shortly after / days after removing it, at least in my experience.

That happened to me, although I contacted support and they restored it the following day, no questions asked.

Didn't you use to tweet via SMS? I assume that's still an option? Seems like a valid reason for them to have it.

They turned it off after somebody simjacked jack.

I have the inverse, I never did check it myself. That I can assure you of. I don't care for anyone finding me on social media.

Based on the "large network of fake accounts", I'm guessing the attackers were doing something to effectively query every possible phone number and associate an account to each one.

@fake_twitter_account_212_111_xxxx w/ a phonebook contact list of "212-111-0000" => "212-111-9999". Lather, rinse, repeat. You'd need ~10M accounts w/ ~1000 phone numbers in each, and that can be reduced by some percentage if you know how U.S. phone numbers are assigned (ie: don't check for xxx_555_xxxx numbers, prefer highly populated prefixes, etc.)

Good thing they SUSPENDED those accounts! /s

You can probably narrow down the list to just existing mobile numbers by sending a text message to each one, and then just do this for ones where the text message actually goes through.

Maybe you can upload lists several times from same account? Then you don't need 10M accounts.

Any chance this means they'll get rid of their popup that asks for my phone number everytime I visit. You only have to refresh the page to get rid of it but it is annoying. This incident shows they don't know what they are doing and don't respect their user's data.

I read the article and thought, "well, yes, the option that needed to be enabled on the account for the attack to work describes what the API did, what is the bug?"

I found the original notice from twitter [1] easier to understand (maybe change the URL of this post?) and it does not speak about a bug. Twitter did implement a change so that the attack cannot be done anymore though.

I did not understand the fix itself, it seems the API cannot be used for its intended use anymore?

[1] https://privacy.twitter.com/en/blog/2020/an-incident-impacti...

The fix was to block the botnets that were scanning millions of numbers and ban the associated accounts. Likely that includes some ongoing threat detection as well. That'll at least prevent scammers from collecting one more account name/number to attempt exploiting.

It doesn't do anything against a targeted attack against someone who has chosen to be discoverable. That's just how search/discovery is intended to work.

The intended use was for a user to submit their contact data (phone book). Twitter's API would return a list of usernames matching those numbers for the purpose of requesting/notifying/suggesting potential friends (in exchange for their* data used to build a social graph/sell). Twitter patched/updated the API which means (the API probably returns a token or key or something that doesn't reveal the username now) if someone wants to submit a list of phone numbers to get their Twitter usernames they'll have to pay Twitter[0] or use a different "exploit".

* if someone has my phone number in their phonebook and gives it to Twitter - it becomes our data.

[0] https://business.twitter.com/en/help/overview/what-are-promo...

> Twitter did not clarify who these third-parties were, but it did say that some of the IP addresses used in these API exploitation attempts had ties to state-sponsored actors, a term used to described either government intelligence agencies, or third-party hacking groups that benefit from a government's backing.

Can someone explain this to me please? Are "state-sponsored hackers" this foolish to use the same IP addresses as previous, known IP's used in hacks?

Or is this just the current "because terrorism / because pedophiles" used to cover incompetence?

I don't get it...

I've been involved in research of this nature, though not specifically attributing APTs. Think of it like old school detective work: every crime and every criminal leaves traces, including the traces of the ways they attempt to prevent being traced. This sometimes also includes attempts to impersonate other entities ("false flags"). No matter how many layers of indirection an attacker uses, there's going to be at least one thread to pull on.

There's no equivalent to DNA testing, but sometimes you can have pretty high confidence in an attribution. To be clear, this goes incredibly far beyond looking at IP address geolocation or whatever. That's less than 1% of what you're looking at. That'd be like police assuming a death threat was signed with someone's real name.

There's no way of knowing exactly what they identified or how they did it or if they got it right. I wish more companies would release such information and how they conducted the entire analysis (some do), though I understand that may not be possible due to legal and counter-intelligence reasons.

Yeah I never believe the "state-sponsored" hackers claim, or any claim to the location of them, until those hackers get caught and convicted based on real evidence. It's basically guesswork anyway. And certainly to a company like Twitter who doesn't even have the capabilities to really investigate a hack, compared to say the NSA, CIA or similar spooks.

Went on a tweet storm a few months ago. Twitter locked my account and forced me to give my phone number. I started getting spam calls at a level I didn't before (may be coincidence but am very tight about that sort of thing, I don't even give my grocery store my #) and I knew, just knew that at some point, this very thing would happen.

Combine that with the story that the Saudi's had infiltrated twitter and were spying on users, especially in light of how they treat their opponents (Kashoggi), when do we stop supporting companies that do these obviously poor practices?

> when do we stop supporting companies that do these obviously poor practices?

Well, you just indicated you chose to continue supporting this company with the poor practice above. What would make you switch away from them? Clearly the spam calls weren't enough.

It's a complicated issue. I am very privacy focused, the kind of person that doesn't do facebook, burns accounts on different forums regularly, etc, but I have to admit I enjoyed the information I got out of twitter while not enjoying some of their recent changes.

Since the spam calls and the phone link in though, I have already changed my twitter-name and lost all followers, and since then I pretty much stopped tweeting. Haven't logged in in at least a month now.

The main problem with adoption of an alternative is that I was using it to keep up with the kinds of people that aren't necessarily going to move to an alternative until it reaches some sort of critical mass. My RSS feeds are already full enough without having to add a bunch of random single person blogs to keep up with, so I'm not sure to be honest. Twitter was my main compromise to stay more socially connected with a wider array of people and it's hard to let go of that.

Despite my desire for good federated and open source social networking, it isn't quite there yet, and so for the time being the one social outlet alternative I see glimmers of hope in is WT.Social.

you can still follow people without logging into twitter. their posts are public. you can't DM with them though, and they also can't follow you. they also can't block you. but as far as "getting information out of twitter" is concerned, no account is needed

Exactly. These people are petting the dog after it attacks their kid, oblivious to the training they are offering and reinforcing. We as a collective are just teaching big tech how to more effectively enslave us for profit.

Or like staying with an abusive spouse. I don’t get it—why stick with a company that behaves this way, just to take part in a service that is frankly optional and unnecessary to life?

We get these threads a lot here. “Company X charged me for something they didn’t deliver and ripped me off!” So report fraud through your credit card and charge it back. “Bbbbut then they’ll ban me!”

I am very extreme already about these sort of things, and twitter was my one main compromise besides Steam... it just makes me feel like what is going to happen is the masses will always be on services like this and only a handful of hackers will be on the alternatives, creating and further encouraging information bubbles.

Your frankness is appreciated though, there is some truth there.

Saudi problem seems more severe! Call me crazy!

Not that I use twitter; people who get on the thing seem to have some bizarro Stockholm syndrome.

The average user has no idea what their phone is capable of, and how little effort it takes to spy on them. They think spying on them can only be accomplished by elite teams like on CSI:Miami, or that only some weirdo antisocial dork can do it, but only upon communion with the devil, at a crossroads, at the first full moon.

So I guess Twitter applied for a technology embargo exemption to Iran?

I mean, I guess that's been public knowledge already that they serve there, but the overwhelming majority of public companies block the IP space of every country on the embargo list.

I'd think that serving Iran right now would be fairly politically untenable

Most of Iran's leadership have active twitter accounts, so I'd have to guess so.


Twitter's data collection/friend matching feature used an API endpoint that returned usernames given phone numbers. A security researcher exposed it publicly, Twitter patched it (to just return a token or something). Twitter investigated and just released their findings "out of an abundance of caution and as a matter of principle." that it's clearly been "exploited" many times in the past. Twitter probably charges for the data returned by this "exploit". It doesn't look like the settings offered stop Twitter from selling this "exploit" as a service for "promotional" content.

It's seems strange not care that Twitter sells your username but care they also accidently gave it out for free in the past.

Nothing in the article about collaboration with law enforcement or national security.

Some amount of liability on Twitter’s part in this is palpable, but this is also a criminal act on the part of the attacker who should accordingly be brought to justice, or at least an attempt should be made to do so.

If this is happening with law enforcement agencies then I feel like tech companies usually say so. Twitter’s statement says they are “releasing the details” but there’s no mention of law enforcement or state department involvement.

If the press release is meant to achieve this engagement publicly, then there are no actual “details” in it for example, no link to a list of IP addresses, twitter accounts, and times at which the endpoint was accessed!

Thats a bit flippant of course but perhaps there is actually a way they could have released some of those details: ASNs, days of the attack, some other aggregation?

In any case, some reassurance from Twitter that this is being followed up on by a government agency would be good to see.

Attacker what? He, Ibrahim Balic, is a security researcher; but when it comes to Twitter, they are stubborn claiming the bug was a feature. See what "attacker" says:



From 2 months ago:

>Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven. Here is what Doubi's online followers figured:

>State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.

>Twitter haphazardly closed the breach in complete secrecy.

>API hole explanation is excluded as people with 100% private accs got police visits.

>People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.

>2016 breach is also out of question.

>The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.



Twitter could go a long way in solving this issue by not requiring a phone number for an account. While you don’t need one to sign up, after some short period of time you’ll be locked out if you don’t provide one.

phone numbers are better than ips for surveillance. they follow you everywhere.

I eagerly look forward to a phone-number free world.

Would help a lot with global mobility.

I swear I saw someone mention this a month or two ago in HN comments. They said that they believed Twitter's API was being used to unmask accounts by state actors. I can't find the original article now.

You're thinking of https://news.ycombinator.com/item?id=21873229

That was slightly different, since at that time the only information we had that this unethical "security researcher" had exploited the bug for months on billions of phone numbers and only disclosed it once Twitter blocked them.

This announcement is different in that Twitter appear to be saying that this was being abused by other actors as well.

That was exactly the comment. Thank you! It sounds like everyone and their mother was exploiting the API based on today's post. Thanks again.

> After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries.

Does anyone know what this actually means? If the contact discovery API doesn't return a username, what does it do? If the answer is that it returns a user ID now instead of username, then presumably that can then be freely queried for the corresponding username..

There should not be an app permission to export contacts list in the first place. If an app needs your contacts, there should be a way to export them offline and upload the contacts file. If a user is not technically adept to do that, they are clearly also not adept to judge the ramifications of pressing the "allow" button on the contacts permission dialog.

I was rejected with no explanation from a Twitter API key, despite it being for a real account that must appear very normal in every respect.

I think it's kind of funny that they are so draconian with hobbyists and people making toys, but that any motivated bad actor can probably access most of the same endpoints and services by virtue of the fact that they have to be accessible for people to use Twitter.

Someone have mentioned spam after being forced to provide his/her phone number to Twitter, and I have known of similar cases in 2019. I also remember a case where the police matched a twitter handle to a phone number and proceeded to arrest a guy who have been a strong activist against electronic vote. So I can conclude that this bug was well known at the beginnings of 2019.

Why on earth would you give twitter your phone number!? It's an ad company. Why on earth would you give an ad company your phone number?!

At some point we'll realize that privacy invasive policies are a huge security liability, right?

I don't even feel sorry for them. Many many times over, industry experts told people: SMS is NOT 2FA and should not be used as such. Great to see karma served, and I look forward to U2F or Webautn on my twitter account soon.

What's there to feel sorry about? Twitter isn't facing any regulatory scrutiny over this, let alone possible fines.

It’s interesting to me that these kinds of things are not catalogued and advertised like other vulnerabilities. This is an exploitable information leak using an endpoint that many other services likely have.

They should not allow phone number -> handle lookups. That is quite creepy.

A much more privacy-respecting method would be to only allow lookups if both parties have each other added.

Class action?

Unlikely to succeed. This sort of invasive, drag-net data collection without user knowledge or consent is considered standard practice.

All twitter users "agreed" to it when they created their account (via the legal fiction that humans read and agree to terms of service)

I'm not convinced that "standard practice" is a sufficient legal defense.

I didn't create a twitter account but my information could have been leaked via this process.

Is there some law against them collecting your information from your friends without your consent? I'm not a lawyer, just an observer of how these sort of things regularly go, and I'm going to guess that what they did here was 100% legal.

Obviously this is morally abhorrent, but in the US the laws are written to protect large corporations like Twitter, not their victims.

That's not damages though.

Isn’t this old news? Thought this came out a few months ago.

According to the article, Twitter discovered the problem on the 24th of December 2019.

Kind of ironic Twitter can't protect data theft but spends considerable amount of resources to detect Deep Fakes.

How is that ironic, those are two entirely different issues.

this "bug" made hundreds of thousands Chinese activists' account "disappear". Sad.

One of the reasons i never installed the twitter app. Will keep using the web page.

Why is "impacting" better than "affecting?"

For starters impact is a noun and affect is a verb.

It's probably textbook risk analysis lingo, an impact is measurable but an affect is not.

Usually an impact scale is created to define what impact level 5 would involve versus impact 1. It's still arbitrary but more configurable than affect.

Just my two cents, no guarantee.

I was already thinking of deleting my twitter account. This is just an extra incentive


It's a phone number, not your bank account.

It's public information.

Do you want to sue the phone telcos for publishing the phone book?

Your identity is not public information on Twitter. Posting someone’s phone number and Twitter handle, if they did not explicitly share it anywhere, would be doxing, against almost any site ToS, and potentially even illegal.

Are there any legal repercussions against doxxing

It depends on the jurisdiction but definitely. I am not a lawyer, though; I’ll just defer to your favorite search engine on this one.

What’s your phone number? If it’s public you don’t mind sharing it. My address book is filled with people who would be very sad if that were made public.

What's your phone number?

I might call you and check- and check for VOIP numbers, too, so no fakes.

> check for VOIP numbers, too, so no fakes

Ah yes, continuing the fiction that anyone who uses a VoIP service must be a fraudster with a faked phone number.

Just another in the long list of if you are not using Google or Microsoft e-mail and AT&T or Verizon or T-Mobile or Sprint postpaid mobile phone service, you're obviously up to no good and deserve whatever "anti-fraud" you get.

It may be public, but I don't see you posting your phone number on HN. Perhaps that's because you don't want everyone in the world to have it? Doesn't seem like an unreasonable expectation to me.

> It's public information.

No, it isn't.

you have one of those private, encrypted phone numbers that prevents unauthorized usage? Get over yourself, it's public information.

> you have one of those private, encrypted phone numbers that prevents unauthorized usage? Get over yourself, it's public information.

Is it?

If I find out your phone number, "stuff4ben", then I know who "stuff4ben" really is.

People have been missing this for a LONG time now. Phone numbers are the unique identifier, especially with portability.

You can use 50 different usernames across 50 different sites but with that phone number, I know they are all you.

Which I can then link up to the 1,000 other sites you use those 50 usernames on without providing your phone number, and it's still likely you.

The NSA's database must be very interesting out at the Utah Data Center. This is how it all works, because you can mask your IP address using Tor but you can't mask any of that unless you've taken very careful steps along the entire history of your internet usage, from the start.

Eh, it pretty much is. At least in the US

I have a pretty unique name, you can search my first name + "voter registration" and get my address, phone number, and birthdate

Even if my name was common, it'd still be out there

But on twitter you don't need to give anyone your real name. THAT'S the thing. There should be no way to tie your twitter account to you, unless you specifically allow them to share your information.

Sure, that's what the other replies above the comment I replied to are saying, but this is specific to phone numbers

A lot of people are not aware of the fact this information is all public

Isn’t that really for twitter to decide?

Besides, weren’t the people who had opted out from the “Let people who have your phone number find you on Twitter” unaffected by this?

It's not public information, and it's considered identity-tied enough to be used in many forms of two-factor identification.

It is public information, and that's why it's ludicrous that it's used for two-factor authentication.

Two-factor authentication is a dumb solution to a real problem. The problem should be properly solved, rather than hacked around with stupid solutions like "sending notifications to accounts that can easily be spoofed by willful actors".

> Two-factor authentication is a dumb solution to a real problem. The problem should be properly solved, rather than hacked around with stupid solutions like "sending notifications to accounts that can easily be spoofed by willful actors".

SMS Two-factor authentication is a dumb solution. Actual two-factor authentication like FIDO U2F tokens is a better solution. Even TOTP is better than SMS auth.

Private vs. public isn't a fine-grained enough distinction. It's not private in the sense that most people give it out to lots of people so that they can be contacted. (Of course, in the case of landlines, they're mostly listed in a public directory somewhere but I assume we're talking mobile here.)

BTW, you bank account number is the same way if you write checks.

So they're not private in the way that some data (like health information) that you're only going to share very selectively is private. But it's mostly not public in the sense that you'll likely put it online unless maybe it's a business phone.

pff, considering that a large number of two factor authentication protocols send you SMS your phone number might just as well be your bank account

Just because it's public doesn't mean it should be shared with everyone.

You wouldn't type your number into a HN comment, would you? Probably not because you know exactly what would happen.

What's your phone number?

No, its only public if you choose to disclose it. Phone numbers are PII (personal identifying information) in regards to the GDPR.

Sorry for the slight pedantry, but PII is some American thing. GDPR deals with "personal data".

It's playing on words until you find out the PII definition isn't the one that's used to settle GDPR claims.

You're cutting hairs here. Phone numbers are protected under both European and US privacy protection laws.

I knowingly am. :-(

Parent post insisted on the acronym, that triggered my consistency response reflex.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact