Wordfence cybersecurity researchers: The versions involved are up to, and including, 0.3.11. The issue has been completely fixed in 0.3.12.
Twitter confirms: state-sponsored hackers used a large network of fake accounts to exploit API and match usernames to phone numbers
Cybercrime and state-sponsored hackers used a large network of fake accounts to exploit Twitter API and match usernames to phone numbers. It has been officially announced by the social media platform. It’s cyber security experts immediately suspended these accounts and are disclosing the details of the further investigation. “We discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case. While we identified accounts located in a wide range of countries engaging in these behaviors, we observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. – the company stated – It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle”.
The cyber security experts: The API endpoint matches phone numbers to Twitter accounts for those people who have enabled the ‘Let people who have your phone number find you on Twitter’ option and who have a phone number associated with their Twitter account
The cyber security experts disclosed that “when used as intended, this endpoint makes it easier for new account holders to find people they may already know on Twitter. The endpoint matches phone numbers to Twitter accounts for those people who have enabled the ‘Let people who have your phone number find you on Twitter’ option and who have a phone number associated with their Twitter account. People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability. After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint”.