Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Twitter Bug Privacy

Twitter Confirms Vulnerability Exposed Data of Anonymous Account Owners (twitter.com) 17

Friday the Twitter Privacy Center posted an announcement on their blog:

"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...."

Engadget explains: [T]he company said a malicious actor took advantage of a zero-day flaw before Twitter became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company's bug bounty program. When Twitter first learned of the flaw, it said it had "no evidence" to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure.
From the Twitter Privacy Center: This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.... After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

This discussion has been archived. No new comments can be posted.

Twitter Confirms Vulnerability Exposed Data of Anonymous Account Owners

Comments Filter:
  • The thing about nefariously obtained data is there are no consequences for fraudulent information in it.

  • Is this how everyone found out twitter is mostly bots?
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Everybody left Twitter as soon as Donald J. Trump left the platform. All that is still using Twitter is the Tesla bots.

      • Everybody left Twitter as soon as Donald J. Trump left the platform.

        He "left" the platform? Is that how you guys are trying to spin it now?

        Dude got kicked off for being a serial liar.

  • Twitter constantly nags to add a phone number. I eventually gave in. Now, after the horse is stolen, I am locking the stable doors, deleting that phone number. But can you really trust them to actually delete it from their servers? I am sure it is saved, available in an internal server, through a private API and eventually some other bug, some other update, something happens and hackers will get it.

    Lets remember all the information twitter owns are valuable assets. No matter what the EULA says, if and whe

    • I'm assuming you had an existing account because I don't think it's even possible to create an account without a phone number linked to it anymore. If you somehow manage to achieve that and/or if you don't provide enough personal information on the account, your account gets suspended and they force you to put in a phone number. That's what happened to me when I created my account a year ago - I was flagged as sus in about 10 minutes.

    • by PPH ( 736903 )

      I've done one better. No Twitter account.

  • we had no way of knowing we had been found out!
  • by devslash0 ( 4203435 ) on Sunday August 07, 2022 @04:41PM (#62769900)

    My Twitter account is linked to a burner phone / sim card not used for any other online accounts. Best $1 ever spent.

    • by Ichijo ( 607641 )

      Is there a way to get a burner phone that can't be linked back to you from another zero-day?

      • Why zero days? It's surely a case of cyber intelligence and linking data sources. You can never be certain but if you know how the system works and are super careful, it's possible to lower the chance of detection to near zero.

  • .. only for pseudonymous/anonymous accounts?

    If injecting a phone number into the login flow can reveal which account it belongs to (even if the login fails), how would that differ for named vs anonymous accounts? Sure, you don't get a real person's name. But the pseudonym might be enough.

  • Twitter advises *after* the breach that PII provided to them might get exposed. And, they don't have enough logs to know who was impacted. How utterly irresponsible.

Keep up the good work! But please don't ask me to help.

Working...