Twitter Android app bug matched millions of phone numbers to accounts

Twitter may not have been dragged into major privacy and political scandals the way Facebook has been but it has its fair share of headaches. Most of these stem from technical problems, a.k.a. bugs, that leak users' information when they shouldn't. The latest seems to be an almost simple flaw that could match phone numbers to users by simply uploading a massive list of randomly generated numbers through the Twitter app on Android.

The exploit was discovered and tested by security researcher Ibrahim Balic over the course of two months. Balic generated millions of phone numbers and arranged them in non-sequential order to bypass Twitter's security measure designed to block exactly that kind of fishing attempt. Apparently, it was that easy to trigger the bug.

Twitter allowed users to upload contact's numbers in order to check if they have Twitter accounts and connect them. Balic was able to match 17 million generated phone numbers with Twitter user accounts, some of which were confirmed by TechCrunch. The big wasn't present on Twitter's web interface.

Balic didn't report the matter to Twitter but alerted affected users in a WhatsApp group. He says that Twitter has blocked the attempts on December 20 and a company spokesperson confirmed that it suspended accounts that exploited the system this way. It didn't confirm the actual bug or the measures it has taken to ensure that the contacts upload feature wouldn't be exploitable that way again.

This exploit may not be related to the one Twitter publicly announced this week also affecting the Android app. That was painted more as a bug that needed more active code injection rather than abusing features Twitter itself provides. Regardless, it joins the list of Twitter vulnerabilities reported this year, some of which affect only the social network's Android app.