A Twitter app flaw used to match 17 million phone numbers to user accounts

  • Twitter fetched relevant matching user data upon uploading the contacts through the contacts upload feature on Twitter's Android app.
  • The researcher took many of the phone numbers of high-profile Twitter users including politicians and officials to a WhatsApp group to warn them directly.

A security researcher claimed to leverage a flaw in Twitter’s Android app and successfully match 17 million phone numbers to unique Twitter user accounts.

Researcher’s path to the bug

Security researcher Ibrahim Balic found the Twitter bug and carried on with his experiments for months. According to the researcher, he could upload a large list of mobile phone numbers using the contacts upload feature on Twitter's Android app.

He further noted that Twitter fetched relevant matching user data upon uploading the contacts. “If you upload your phone number, it fetches user data in return,” he told TechCrunch. Balic matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany for over two months, until Twitter blocked the effort on December 20.

The uphill task

Security researcher Ibrahim Balic explained that Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format—maybe only to prevent this kind of matching. So, he generated more than two billion phone numbers, one after the other instead.

He then randomized the numbers and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.) Through this, he could retrieve matching user data.

Going public with the flaw

The researcher provided TechCrunch with a sample of the phone numbers he matched. The team verified his findings by comparing a random selection of usernames with the phone numbers that were provided.

The researcher was yet to alert Twitter about the flaw. Meanwhile, he took many of the phone numbers of high-profile Twitter users including politicians and officials to a WhatsApp group to warn them directly.

The workaround

A Twitter spokesperson told TechCrunch that the company was working to “ensure this bug cannot be exploited again.”

“Upon learning of this bug, we suspended the accounts used to inappropriately access people’s personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter’s APIs,” the spokesperson said.