Twitter says state-backed actors may have accessed users’ phone numbers

Twitter said on Monday that it experienced found out attempts by attainable point out actors to entry the cellular phone figures affiliated with person accounts, following a safety researcher unearthed a flaw in the company’s “contacts add” aspect.

In a statement posted on its privateness web site, Twitter said it experienced determined a “significant quantity of requests” to use the aspect coming from IP addresses in Iran, Israel and Malaysia. It said, without having elaborating, that “some of these IP addresses may have ties to point out-sponsored actors.”

A firm spokeswoman declined to say how several person cellular phone figures experienced been exposed, expressing Twitter was unable to recognize all of the accounts that may have been impacted.

She said Twitter suspected a attainable relationship to point out-backed actors mainly because the attackers in Iran appeared to have experienced unrestricted entry to Twitter, even though the network is banned there.

Tech publication TechCrunch noted https://techcrunch.com/2019/12/24/twitter-android-bug-cellular phone-figures on Dec. 24 that a safety researcher, Ibrahim Balic, experienced managed to match 17 million cellular phone figures to precise Twitter person accounts by exploiting a flaw in the contacts aspect of its Android app. TechCrunch said it was in a position to recognize a senior Israeli politician by matching a cellular phone variety as a result of the instrument.

The aspect, which permits people today with a user’s cellular phone variety to obtain and connect with that person on Twitter, is off by default for end users in the European Union in which stringent privateness policies are in position. It is switched on by default for all other end users globally, the spokeswoman said.

Twitter said in its statement that it has modified the aspect so it no longer reveals precise account names in response to requests. It has also suspended any accounts believed to have been abusing the instrument.

Nevertheless, the firm is not sending specific notifications to end users whose cellular phone figures were being accessed in the details leak, which facts safety experts consider a ideal follow.