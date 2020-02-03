Special property



Cyberwar and the future of cyber security

Today’s security risks have expanded and become more serious. Millions (or even billions) of dollars can now be at risk if information security is not handled properly.

read more

In a statement published today, Twitter revealed a security incident in which third parties operated the company’s official Application Programming Interface (API) to match phone numbers with Twitter user names.

In an email clarifying the incident, Twitter told ZDNet that they were notified of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report describes the efforts of a security researcher who took advantage of a Twitter API function to match 17 million phone numbers with public usernames.

Twitter says it has intervened and immediately suspended a large network of fake accounts that had been abused during these attacks. During its investigations, the social network told ZDNet that it discovered additional evidence that this API bug had also been exploited by other third parties outside of the security investigator at the heart of the TechCrunch report.

Twitter said that although they identified fake accounts used in the attacks in a large number of countries, most of the attacks came from “individual IP addresses in Iran, Israel and Malaysia”.

Twitter said some of these IP addresses were related to government-sponsored actors, a term used to describe either government intelligence services, or third-party hacking groups that benefit from government support.

The Twitter API bug that was abused during the attack



According to Twitter, the attackers operated a legitimate API endpoint that allows new account holders to find people they know on Twitter. The API endpoint allows users to enter phone numbers and link them to known Twitter accounts.

Twitter says the attacks have not affected all Twitter users, but only those who have enabled an option in their settings area to allow phone-based matching.

“People who had not enabled this setting or did not have a phone number associated with their account were not exposed to this vulnerability,” Twitter said.

The social network said it immediately made some changes to this endpoint after it detected the attack “so that it could no longer return specific account names in response to questions.”

Article has been rewritten and updated at 6:00 pm ET based on the additional information provided by a Twitter spokesperson.