Very relevant: <a href="https://news.ycombinator.com/item?id=21747424" rel="nofollow">https://news.ycombinator.com/item?id=21747424</a><p>Can this be an API leak which Chinese MSS used to track Chinese users?<p>It may well as be if we believe that API wasn't implementing discoverability restrictions from privacy settings, and only hid users on the UI level.<p>> Basically Twitter got pwned big time, and now denies it because GDPR will ruin them if breach is proven.
Here is what Doubi's online followers figured:<p>> State security got all phone numbers used for Twitter phone verification up to May 2019 and possibly till July.<p>> Twitter haphazardly closed the breach in complete secrecy.<p>> API hole explanation is excluded as people with 100% private accs got police visits.<p>> People with foreign SIM cards also got into trouble. So the explanation that China compromised Twitter's SMS providers is also excluded, as its improbable that they did it in 4+ countries.<p>> 2016 breach is also out of question.<p>> The only explanation is that they got hold on a big piece of their user DB, or, worse, they have an active infiltrator in Twitter, or Twitter voluntarily cooperated.
> Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20.<p>Sounds like the other thing Balic discovered (not explicitly published here) is the rate limit below which Twitter's anomaly detection will not notice that you are using an interesting API endpoint.<p>> While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.<p>Uh. I wonder how that went over?
It sounds like he spent two months extracting data through a flaw that's existed for years and then bragged about it after it got closed to his egregious usage.<p>Is this considered normal or ethical behavior for a security researcher?
This is a "feature", not a bug. Twitter keeps asking for phone numbers all the time and then suggests you also allow others to discover your account via phone number.<p>So this guy merely enumerated a lot of phone numbers and found accounts of users who agreed to have their phone number publicly match their account.
The worst part about this is that twitter <i>requires</i> you to add a phone number. Why?? That’s very privacy hostile, since a phone number is very personal and identifiable.<p>And it’s like a bait and switch. They don’t require it at sign up, but within a short time they’ll lock your account until you add it.
Doesn’t really have anything to do with the Android app. He was using an api endpoint that anyone could hit.<p>Step #1, turn two factor authentication on<p>Step #2, have your phone number leaked because of a dumb feature.
I recently started to use the "neo-banks" (fintech apps that may or may not be actual banks, mostly for payments). All of them offer an app and APIs and ways to discover which contacts use the same app via their phone number.<p>Immediately following this I received highly targeted phishing sms messages that included links to plausible looking login pages.<p>Perhaps this shouldn't be too surprising, but people will get burned and somebody will have to pay for it.
I think it was irresponsible to keep collecting more phone numbers, and I think he should've let Twitter handle informing users of this vulnerability. Had he used responsible disclosure, he could have claimed a nice bug bounty (between $280 and $2,940, according to [0]).<p><pre><code> [0]: https://hackerone.com/twitter</code></pre>
When sites collect phone numbers to "find friends", there is always a chance that they will be leaked. And even worse, someone having enough resources will check all existing phone numbers and get a mapping between numbers and accounts.<p>This reminds me of a story posted on Russian site [1], where researchers managed to bypass Instagram's protection and find accounts by phone number. Sadly, I cannot confirm described method because their site requires a Google Account to find Instagram account by phone number. But if it's true it shows that even Facebook and thousands of its engineers cannot protect their users' data.<p>[1] <a href="https://translate.google.com/translate?sl=ru&tl=en&u=https%3A%2F%2Fhabr.com%2Fru%2Fcompany%2Fpostuf%2Fblog%2F479094%2F" rel="nofollow">https://translate.google.com/translate?sl=ru&tl=en&u=https%3...</a>
“ he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly”<p>What on earth does this actually mean? And why does he still have a verified Twitter account or an account at all when he exploited it for 2 months without informing them?
This must be the "Account Security Issue" Twitter e-mailed me about last week. I was wondering when they'd release more details: <a href="https://i.imgur.com/yjzMtLB.png" rel="nofollow">https://i.imgur.com/yjzMtLB.png</a><p>Transcription:<p>"SUBJECT: Twitter Account Security Issue – Update Twitter for Android<p>Hello,<p>We recently fixed an issue that could have compromised your account. Although we don’t have evidence that this was exploited, we can’t completely confirm so we are letting you know. You can learn more about this issue here.<p>Please update to the latest version of Twitter for Android as soon as possible to make sure your account is secure.<p>We’re sorry this happened and will continue working to keep your information secure on Twitter. You can reach out to our Office of Data Protection through this form to request information regarding your account security.<p>Thanks,
Twitter"<p>Edit: err, no, this appears to be something different still. Not a good week for Twitter: <a href="https://news.ycombinator.com/item?id=21847198" rel="nofollow">https://news.ycombinator.com/item?id=21847198</a>
When a website asks for a phone number i treat it as "please provide a DNA sample and birth certificate in triplicate" and close the tab. Its ridiculous to what ends consumers will go and accept as "privacy compromises". Hopefully GDPR will make these practices costly enough.
Did they report this breach as required by GDPR rules in the EUR? I can't imagine the GDPR rules don't reply to an American company when they are active in the EU? Especially, if they have (do they?) a branch in EU like for ads revenue or royalties to lessen the tax pay in Ireland or The Netherlands like Uber