A flaw in the Android app for Twitter Inc. has been exploited by a security researcher to match 17 million phone numbers to user accounts in the latest privacy breach involving the microblogging service.

First reported today by TechCrunch and uncovered by vulnerability researcher Ibrahim Balic, the exploit takes advantage of a function in Twitter that allows users to upload contacts then match them to Twitter users.

Using a list of some 2 billion phone numbers that had their order mixed so as to avoid being rejected by Twitter, Balic, over a period of two months matched 17 million phone numbers to Twitter users. The users were located in Israel, Turkey, Iran, Greece, Armenia, France and Germany.

Although matching phone numbers to Twitter accounts may not seem to be a serious issue at first, Balic used the phone number to Twitter account matches to identify the private phone numbers of politicians and officials.

Balic did not notify Twitter but did warn some users directly. The exploit used by Balic was blocked Dec. 20, the same day Twitter released a security alert for the Android app.

That alert, however, describes a flaw in the Twitter Android app as one that “could allow a bad actor to see nonpublic account information or to control your account” using “a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app.” Balic’s process involved no malicious code or other forms of hacking and instead simply used an existing Twitter feature.

Twitter has responded to the report telling Engadget that it takes such reports “seriously” and is “actively investigating” to prevent the bug from being exploited again.

“When we learned about this bug, we suspended the accounts used to inappropriately access people’s personal information,” Twitter added. “Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter’s APIs.”

The tone in Twitter’s response is somewhat surprising given that Balic’s only crime was to take advantage of a service to which the company opened the door, then sharing the details, if not with Twitter itself. The unanswered question is whether others, particularly those with nefarious intent, may have taken advantage of the feature previously as well.

Photo: Pxhere