Security researcher, Ibrahim Balic, was able to match the phone numbers of 17 million people to Twitter accounts linked to them.
Speaking to TechCrunch, Balic highlighted that when he uploaded a user’s phone number through Twitter’s contact upload feature, it would fetch the associated user’s data.
He however had to jump through a set of hoops to achieve this.
Balic said, that while twitter’s contact upload feature will not accept lists of phone numbers in a sequential format, he was able to upload more than 2 billion numbers after he randomized them. He then uploaded them one by one through Twitter’s Android App.
Twitter’s web platform however did not have this bug.
The researcher went ahead to match records from users in Iran, Turkey, Israel, Greece, Armenia, France and Germany.
He had conducted this research for two months before Twitter finally detected and blocked his efforts on the 20th of December.
Related article: Twitter Bans the Use of Animated PNG Files Following Attacks on Users with Epilepsy
TechCrunch was able to obtain a sample of Balic’s data set to conduct its own tests.
The publication was able to verify his discovery by comparing a random selection of usernames with the provided phone numbers.
Of the numbers Tech Crunch was able to identify was that of a senior Israeli politician.
The bug has raised eyebrows as it allows bad actors ready access to users’ private information.
A Twitter spokesperson said, “Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs.”
