Twitter fixes vulnerability that exposed country code details of targeted users
Twitter Inc. has fixed a strange vulnerability on a support forum that allowed hackers to obtain the country code of accounts, which had an associated phone number as well as information on whether the account was locked.
The vulnerability was discovered by Twitter on Nov. 15, when the company noticed unusual activity involving the affected customer support form application program interface. The surge in traffic came from individual IP addresses located in China and Saudi Arabia.
“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter said in a post today. The vulnerability was fixed on Nov. 16.
Twitter did not say how many account holders were affected, only that they’ve been informed.
Why state-sponsored actors would be looking for a country code of a telephone number linked to a Twitter address may seem odd. But according to TechCrunch, the concern is “that malicious actors could have used the security flaw to figure out in which countries accounts were based, which could have ramifications for whistleblowers or political dissidents.”
The vulnerability may not be the only one. Security researcher Terence Eden uncovered an OAuth permissions flaw in Twitter Dec. 14 that allows third-party applications to access a users’ direct messages even when they said they would not permit it.
“For some reason, Twitter’s OAuth screen says that these apps do not have access to direct messages,” Eden explains. “But they do! In short, users could be tricked into allowing access to their DMs.”
Eden claimed Twitter has now fixed that issue.
One vulnerability is careless but two so close together is another matter, especially coming on top of various other vulnerabilities at Twitter throughout the year.
In September it was revealed that Twitter had patched a vulnerability in one of its application programming interfaces that gave third parties access to direct messages and protected tweets. And last month a hacker managed to hijack verified accounts and pretend to be Tesla Inc. Chief Executive Officer Elon Musk.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.