It looks like Twitter could have been in big trouble. Security specialist Ibrahim Balich said about a vulnerability found in the Android Android client that allowed access to phone numbers of 17 million users of the popular microblogging service.
The principle of the vulnerability is quite simple. According to the expert, by uploading a phone number using the function of downloading contacts to Twitter, in response, the application will provide the data of the user to whom this number belongs.
If you download a phone number, you’ll get user data in response, ”Balich said in an interview with TechCrunch.
The researcher generated more than two billion phone numbers and for two months compared them with data from users from Israel, Turkey, Iran, Greece, Armenia, France and Germany. Thus, he was able to identify more than 17 million accounts until December 20, Twitter stopped his actions. On this day, the social network announced the elimination of the vulnerability, using which cybercriminals could obtain sensitive information about accounts and send messages on behalf of the user.
Interestingly, the specialist did not report on Twitter the vulnerability found. Instead, he sent a WhatsApp warning to prominent Twitter users, including politicians and officials.
By the way, Ibrahim Balich is known for discovering a security vulnerability in 2013 that affected the Apple Developer Center.