Twitter disclosed a security incident in which third-parties exploited the company’s official API (Application Programming Interface) to match phone numbers with Twitter usernames.
Twitter clarified that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report specified the attempt of a security researcher who misused the Twitter API feature to match 17 million phone numbers to public usernames.
Following this report, Twitter intervened and immediately suspended a large network of fake accounts which were used to query its API and match phone numbers to Twitter usernames.
On further investigation, the company found additional evidence of this API bug being exploited by other third-parties, beyond the security researcher mentioned in the report.
However, Twitter did not specify who these third-parties were, but it said that some of the IP addresses used in these API exploitation attempts were linked to state-sponsored actors.
The company would be disclosing the findings of its investigation out of caution and as a matter of principle.
Twitter stated that the attackers exploited a legitimate API endpoint that allows new account users to find people they know on Twitter. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts.
The attack did not affect all Twitter users, but only those who enabled an option in the settings to allow phone number-based matching.
The company confirmed that those users who did not enable this setting or does not have a phone number associated with their account were not exposed by this vulnerability.
Twitter immediately made several changes to this endpoint when the attack was detected so that it could no longer return specific account names in response to queries.