Twitter warned of phone country code leak two years ago — but did nothing, security researcher says

Twitter warned of phone country code leak two years ago — but did nothing, security researcher says

A security researcher found a bug in Twitter’s support form two years ago that exposed the country codes of phone numbers attached to users’ accounts. “We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account,” said Twitter in its disclosure. “This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.” Peerzada Fawaz Ahmad Qureshi reported the bug through HackerOne, which hosts Twitter’s bug reporting program, in the hope of a fix and a bounty payout, but the report was marked as “informative” and no action was taken. Qureshi shared his bug report with TechCrunch after learning of Monday’s disclosure, in which he described how it was “possible to map out whether a mobile number is attached to a Twitter account including the country where the mobile number is registered by identifying the country code.” The bug report detailed how anyone could obtain the country code of a phone number from anyone’s account by running through the site’s password reset process. By selecting “I don’t have access” to an email address associated with an account, the form would change and would allow a user to enter a phone number instead. But, when that page loaded, it would automatically select the account holder’s country code by default. It’s still not known exactly how the form was abused to allow the mass scraping of account-specific country codes. When reached, a Twitter spokesperson said that the bug was caused by an API that only supported the webform, and was not a developer API — but declined to comment further when pressed on specifics of Qureshi’s report. You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

WikiLeaks’ Twitter Chats Exposed as 11,000 Private Messages Posted Online
Facebook Photo Leak: What To Do Now
Google Pixel 3 Leak Reveals Radical Feature

A security researcher found a bug in Twitter’s support form two years ago that exposed the country codes of phone numbers attached to users’ accounts. At the time, his bug report was closed as it did “not appear to present a significant security risk.”

Twitter now says that the bug may have been abused by nation-state actors.

“We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account,” said Twitter in its disclosure. “This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.”

Peerzada Fawaz Ahmad Qureshi reported the bug through HackerOne, which hosts Twitter’s bug reporting program, in the hope of a fix and a bounty payout, but the report was marked as “informative” and no action was taken.

Qureshi shared his bug report with TechCrunch after learning of Monday’s disclosure, in which he described how it was “possible to map out whether a mobile number is attached to a Twitter account including the country where the mobile number is registered by identifying the country code.”

The bug report detailed how anyone could obtain the country code of a phone number from anyone’s account by running through the site’s password reset process. By selecting “I don’t have access” to an email address associated with an account, the form…

Pin It on Pinterest

Shares
Share This