Security researcher Ibrahim Balic has been able to match nearly 17 million phone numbers to Twitter accounts by exploiting a bug in Twitter’s Android app, TechCrunch is reporting.
“If you upload your phone number, it fetches user data in return,” said Balic while noting that a security flaw allowed uploading entire lists of generated phone numbers through Twitter’s contacts upload feature.
The researcher first generated over two billion phone numbers, then randomized the numbers, and then uploaded them to Twitter through the Android app. The bug allowed him to match records from Twitter users in Israel, Turkey, Iran, Greece, Armenia, France, and Germany over a period of two months.
Twitter eventually blocked Balic’s efforts on December 20th.
Using the site’s password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. In one case, TechCrunch was able to identify a senior Israeli politician using their matched phone number.
While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users — including politicians and officials — to a WhatsApp group in an effort to warn users directly.
A Twitter spokesperson has said the company is working to “ensure this bug cannot be exploited again.”