Flaw in Twitter Android app lets researcher match 17 MILLION phone numbers with user accounts
- Researcher discovered a security flaw in Twitter’s Android app
- When he uploaded phone numbers, he could match them with user accounts
- Users were mostly from Israel, Turkey, Iran, Greece, Armenia and Germany
A researcher is warning Android users not to upload their contacts to Twitter after he was able to match 17 million phone numbers to their respective user accounts.
Ibrahim Balic uploaded a list of generated phone numbers through the contacts upload feature, which he told TechCrunch ‘fetches user data in return’.
Matches were made for users in Israel, Turkey, Iran, Greece, Armenia and Germany – and some were government officials.
Balic told TechCrunch that because the list would not be accepted in sequential format, he had to randomize the numbers before uploading them through the Android app – the flaw does not exist on the desktop site.
For two months he uploaded numbers, matching them to 17 million users in Israel, Turkey, Iran, Greece, Armenia, France and Germany.
He only stopped uploading numbers after Twitter blocked him on December 20th.
A researcher is warning Android users not to upload their contacts to Twitter after he was able to match 17 million phone numbers to their respective user accounts. Ibrahim Balic uploaded a list of generated phone numbers through the contacts upload feature, which he told TechCrunch ‘fetches user data in return’
Although Balic did not alert Twitter to the bug, he took it upon himself to let high-profile users know about it via WhatsApp.
The flaw comes just a few months after Twitter found itself in hot water after a leak was exposing users’ personal data such as phone numbers and email addresses.
The social site said it mistakenly used the phone numbers and email addresses people provided for security purposes to show advertisements to its users but refused to say how many accounts were impacted.
The company said in October that it ‘inadvertently’ used the emails and phone numbers to let advertisers match people to their own marketing lists.
It claims it did not share personal data with advertisers or other third parties. Twitter says it fixed the problem as of September 17 but refused to say how many users were affected.
Balic told TechCrunch that because the list would not be accepted in sequential format, he had to randomize the numbers before uploading them through the Android app – the flaw does not exist on the desktop site
Most recently in May, Twitter came out with another apology after a bug resulted in the sharing of location data from iOS devices.
The social media site said it discovered it was ‘inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.’
Twitter said the location data has not been retained and has since been deleted.
The bug affected users that had multiple accounts on Twitter’s iOS app and opted into a feature sharing their precise location in one account.
‘We may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,’ the company said.
Twitter also said it accidentally sent user location data to a ‘trusted partner’ during the ‘real time bidding’ advertising process.