Twitter for Android app had another bug that exposed users’ phone numbers. The exploit could expose failures in the company’s two-factor authentication system and give other security developers to pause.
The exploit was discovered and tested by security researcher Ibrahim Balic over two months. The researcher succeeded in matching 17 million phone numbers with Twitter accounts by exploiting the vulnerability.
The company blocked Balic’s attempts on December 20 this year, claims the researcher. Balic was able to match mobile phone numbers of high-profile Twitter users which included politicians and government officials. He warned them directly via WhatsApp instead of notifying The company.
The bug existed with Twitter’s contacts upload feature that accepted entire lists of phone numbers. Though the feature didn’t allow lists in a sequential format, it did accept random ones.
TechCrunch reported that Twitter is working on fixing the issue to ensure the bug can’t be exploited by others.
This exploit may not be related to the one Twitter publicly announced this week also affecting the Android app. That was painted more like a bug that needed more active code injection rather than abusing features Twitter itself provides. Regardless, it joins the list of Twitter vulnerabilities reported this year, some of which affect only the social network’s Android app.
Just a while back, Twitter had asked its users to update the android app. The social networking platform claimed it fixed a serious security vulnerability and all users must update the app on their Android devices to stay secure. It’s still unclear whether this new version of the app fixed the bug Balic exposed. These bugs are not only impacting company name but also their advertising revenue.
Secure Your Organization’s Mind with Securemind.se