A Turkish security researcher said: He discovered a gap in the application of the social networking site Twitter on Android, which allowed him to match 17 million phone numbers with the user accounts on the service.
(Ibrahim Balic) found that the gap in the Twitter contact feature was to allow downloading complete lists of phone numbers generated by the feature. "If you carry your phone number, it will bring you user data in return," the researcher told TechCrunch.
Ibrahim Balic said: The Twitter contact feature download feature does not accept phone numbers lists in a serial format, and it is likely that this is aimed at preventing this type of match. Instead, ibrahim balic created more than two billion phone numbers, one by one, then randomly distributed the numbers, then upload them to Twitter by applying them to Android. The researcher confirmed that the gap does not exist in the feature of downloading contacts on the web.
For two months, Ibrahim Balic said: It matched user records in a number of countries, including: Israel, Turkey, Iran, Greece, Armenia, France and Germany, but it stopped after Twitter disrupted its activity on December 20.
Balic provided TechCrunch with a sample of the phone numbers it matched. Indeed, the site was able to identify an Israeli politician using the corresponding phone number. Palic did not warn Twitter about the vulnerability, but he was able to know the numbers of a number of large Twitter users, including politicians and officials, and added them to the WhatsApp group to warn them of the vulnerability directly.
It is noteworthy that the detection of Ibrahim Balic comes days after the Twitter announcement of a vulnerability that could allow bad actors to see private account information, or control accounts, such as tweets, direct messages, and site information.
It is also worth noting that Turkish researcher Ibrahim Balic previously discovered a security vulnerability at Apple's developer center in 2013.
0 Comments