Exactly as predicted in January on HackerOne, a Twitter vuln that allows attackers to access phone numbers and email address associated with Twitter accounts has been used and the data is for sale on Breach Forums.
Source – RestorePrivacy.com:
Earlier today we noticed a new user selling the Twitter database on Breach Forums… The post is still live now with the Twitter database allegedly consisting of 5.4 million users being for sale. The seller on the hacking forum goes by the username “devil” and claims that the dataset includes “Celebrities, to Companies, randoms, OGs, etc.” … the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.
- This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities –
HackerOne user zhirinovskiy
“This is just more confirmation that privacy is an illusion for the most part. The ability of this vulnerability to expose someone’s aliases or non-attributable Twitter profiles demonstrates this reality in a powerful way. It’s concerning, especially for those in sensitive situations, such as crime victims, political activists/dissidents, and those under the thumb of oppressive regimes. While in this instance, the discovery was responsibly disclosed and addressed, the reality is Twitter handles and identities are a sought-after commodity that can be used to compromise other systems or wreak havoc in someone’s personal life. It’s likely that there are other vulnerabilities yet to be exposed that will yield similar access, so it’s reasonable to expect this trend to continue.
“To avoid being victimized, it’s best to operate under the mindset that digital footprints exist everywhere and can never be completely eradicated, and thus, anonymity in the digital realm is a fallacy. For developers, this vulnerability also shows there’s still a need for proper input validation and ensure that any request is authorized or authenticated. The root of this specific vuln is that of improper access control.”