September 29, 2023

Twitter says it has fixed a security vulnerability that allowed threat actors to collect information on 5.4 million Twitter accounts that were listed for sale on a well-known cybercrime forum.

The vulnerability allowed anyone to enter a phone number or email address of a known user and find out if they were connected to an existing Twitter account, potentially revealing the identity of pseudonymous accounts.

In a short statement Posted on Friday, the microblogging giant said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person which Twitter account the submitted email address or phone number is associated with, if any.” .

Twitter said it fixed the bug in January — six months after the bug was originally introduced into its codebase — then a bounty bug report by a security researcher who was awarded $6,000 for disclosing the vulnerability.

According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts and could be used to “build a database” or enumerate “a large portion of Twitter’s user base.” It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers with Twitter accounts.

But the researcher’s warning came too late. Hackers had already exploited the vulnerability during this semester to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.

Twitter said it learned of the exploit from unspecified press release in July, which found a posting on a cybercrime forum that claimed to have user data “from celebrities to corporations” and OGs, referring to custom or highly sought-after social media and gaming usernames.

“After reviewing a sample of the data available for sale, we confirmed that a bad actor had exploited the issue before it was addressed,” Twitter said. “We will directly notify account holders that we can confirm were affected by this issue.”

It’s the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses users submitted to set up two-factor authentication for targeted advertising.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *