Attackers used Twitter API to match phones to usernames

Attackers used Twitter API
Written by Emma Davis

Twitter reported about an unpleasant incident: attackers used Twitter API to match users’ phone numbers with their names.

The company’s specialists became aware of the abuses on December 24, 2019.

During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case”, — said in the Twitter report.

Interestingly that Twitter engineers learned about an incident only after the TechCrunch publication, which described how an IS expert used the Twitter API to match 17,000,000 phone numbers to public usernames.

IS researcher Ibrahim Balic discovered that it was possible to upload entire lists of generated phone numbers using the Twitter contact upload feature. Therefore, if you upload your phone number, you can get user data in return”, – TechCrunch said.

According to Balich, the function of downloading contacts on Twitter does not allow uploading a list of numbers in a sequential order to avoid abuse. The researcher generated about two billion phone numbers randomized them and uploaded them on Twitter via the Android application (the vulnerability does not apply to the web version of the download function). This manipulation allowed him to match 17 million phone numbers with Twitter accounts.

After publishing this note, Twitter immediately suspended the large network of fake accounts that were used to send API requests. Conducted after this investigation revealed additional evidence that the bug in the API was used not only by the mentioned above information security expert but also by other third parties. Names of the third parties have not been disclosed yet, but it is discovered that some IP addresses could be associated with government hack groups. In particular, requests came from Iran, Israel, and Malaysia.

While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle”, — said Twitter representatives.

As a result, the attacks did not affect all users, but only those who turned on the option in the settings that allows other users to find themselves by phone number.

Currently, the problem has already been fixed, and specific account names cannot be received in response to such a request.

Record in the number of vulnerabilities belongs to Microsoft, considering all updates and patches, but social networks, cms and other web services can also surprise you, as recentrly did DropBox or WordPress plugins. Read our news and reviews on all kinds of malware, stay up to date and use reliable anti-virus software.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.


  1. Umesh Vashistha February 10, 2020
  2. sunil February 16, 2020

Leave a Reply