Twitter Phone Matching Exploit Traced To Some State-Sponsored Actors
Twitter doesn't always get dragged into controversy the same way Facebook does but when things happen, they often become huge issues. More often than not, they involve rather critical flaws in the social network that can compromise users' security and privacy. The latest happened not too long ago and is actually based on the same root cause for the high-profile hacking of CEO Jack Dorsey's account: Twitter's use of your phone number.
Social networks often (or should) ask user's permission to get their phone number or access their address book for a variety of reasons. In the Dorsey hack, it was for sending tweets via SMS. Until recently, Twitter also required a phone number just to set up two-factor authentication, even if you didn't use SMS for that.
Unfortunately, a security researcher found out last December that a bug in Twitter's Android app allowed third-parties to match phone numbers with accounts. Twitter immediately reacted to the report by suspending accounts that exploited this security hole. Unfortunately, security researchers weren't the only ones doing so.
Twitter is now revealing that it was also able to trace such fake accounts to IP addresses in Iran, Israel, and Malaysia. It suggests but doesn't exactly confirm that these may have had ties with state-sponsored actors, which translates to hackers employed by or actual government agents themselves.
The social media company reports that it has taken the necessary measures to close the hole and ensure such vectors of attack aren't used again. What ramifications the security breach may have had, however, is still unknown at this point. The company hasn't given any warnings for users to change passwords but it might be a good idea to unlink your phone number from your Twitter account for good measure.