Expert Analysis On Attacker Used Twitter API To Match Usernames To Passwords

Twitter has disclosed a security incident involving the abuse of one of its official API features. Twitter admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of users en masse, which could lead to their de-anonymization through the exploitable API which has already been abused by systems in Iran, Israel and Malaysia.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
February 5, 2020 12:57 pm

Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security. Their complexity and obscurity hinder security testing with traditional tools and automated scanners, and many dangerous security flaws remain undetected.

Often they are riddled with a full spectrum of OWASP API Security Top 10 issues, some of which are intricately intertwined and require chained exploitations. It seems that Twitter’s bug bounty has been futile when detecting the vulnerability in a timely manner.

The security vulnerability in question is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies. Twitter’s claims about the involvement of “IPs of state-sponsored actors” are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.

Last edited 2 years ago by Ilia Kolochenko
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x