Twitter fixes vulnerability that exposed country code details of targeted users
Twitter Inc. has fixed a strange vulnerability on a support forum that allowed hackers to obtain the country code of accounts, which had an associated phone number as well as information on whether the account was locked.
The vulnerability was discovered by Twitter on Nov. 15, when the company noticed unusual activity involving the affected customer support form application program interface. The surge in traffic came from individual IP addresses located in China and Saudi Arabia.
“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter said in a post today. The vulnerability was fixed on Nov. 16.
Twitter did not say how many account holders were affected, only that they’ve been informed.
Why state-sponsored actors would be looking for a country code of a telephone number linked to a Twitter address may seem odd. But according to TechCrunch, the concern is “that malicious actors could have used the security flaw to figure out in which countries accounts were based, which could have ramifications for whistleblowers or political dissidents.”
The vulnerability may not be the only one. Security researcher Terence Eden uncovered an OAuth permissions flaw in Twitter Dec. 14 that allows third-party applications to access a users’ direct messages even when they said they would not permit it.
“For some reason, Twitter’s OAuth screen says that these apps do not have access to direct messages,” Eden explains. “But they do! In short, users could be tricked into allowing access to their DMs.”
Eden claimed Twitter has now fixed that issue.
One vulnerability is careless but two so close together is another matter, especially coming on top of various other vulnerabilities at Twitter throughout the year.
In September it was revealed that Twitter had patched a vulnerability in one of its application programming interfaces that gave third parties access to direct messages and protected tweets. And last month a hacker managed to hijack verified accounts and pretend to be Tesla Inc. Chief Executive Officer Elon Musk.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.