UPDATED 21:00 EST / DECEMBER 17 2018

SECURITY

Twitter fixes vulnerability that exposed country code details of targeted users

Twitter Inc. has fixed a strange vulnerability on a support forum that allowed hackers to obtain the country code of accounts, which had an associated phone number as well as information on whether the account was locked.

The vulnerability was discovered by Twitter on Nov. 15, when the company noticed unusual activity involving the affected customer support form application program interface. The surge in traffic came from individual IP addresses located in China and Saudi Arabia.

“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter said in a post today. The vulnerability was fixed on Nov. 16.

Twitter did not say how many account holders were affected, only that they’ve been informed.

Why state-sponsored actors would be looking for a country code of a telephone number linked to a Twitter address may seem odd. But according to TechCrunch, the concern is “that malicious actors could have used the security flaw to figure out in which countries accounts were based, which could have ramifications for whistleblowers or political dissidents.”

The vulnerability may not be the only one. Security researcher Terence Eden uncovered an OAuth permissions flaw in Twitter Dec. 14 that allows third-party applications to access a users’ direct messages even when they said they would not permit it.

“For some reason, Twitter’s OAuth screen says that these apps do not have access to direct messages,” Eden explains. “But they do! In short, users could be tricked into allowing access to their DMs.”

Eden claimed Twitter has now fixed that issue.

One vulnerability is careless but two so close together is another matter, especially coming on top of various other vulnerabilities at Twitter throughout the year.

In September it was revealed that Twitter had patched a vulnerability in one of its application programming interfaces that gave third parties access to direct messages and protected tweets. And last month a hacker managed to hijack verified accounts and pretend to be Tesla Inc. Chief Executive Officer Elon Musk.

Image: thecampbells/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU