Twitter has revealed that a flaw in the company’s “contacts upload” feature has been discovered, with attempts having made by several state actors to allegedly access the phone numbers of users. A “high volume of requests” to use the feature was detected from IP addresses from Iran, Israel, and Malaysia.
“We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia. It is possible that some of these IP addresses may have ties to state-sponsored actors. We are disclosing this out of an abundance of caution and as a matter of principle.”
According to a Reuters report, Twitter suspects that a government connection here, with the “attackers” in Iran having unrestricted access to the platform despite it being banned int he country. All of the connected accounts have been suspended in the meantime, and Twitter says that they have “fixed” the issue.
How did this happen?
According to Techcrunch, a security researcher said he matched 17 million phone numbers to Twitter accounts after exposing a vulnerability in the company’s Android app. In a nutshell, the issue stems from the contact upload feature. He explained that if you upload entire lists of random phone numbers, Twitter fetches user data in return, enabling you to match these numbers to their users.
Not everyone is affected, it appears. Twitter explained in a blog post that only users with the “Let people who have your phone number find you on Twitter” option with an associated phone number are susceptible, although the loophole has been fixed.
“We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
There doesn’t appear to be any concrete news on who these “state actors” are, however. And it seems that Twitter doesn’t really know who exactly the perpetrators are—or they’re not pursuing it, I don’t know. State actors, by their very definition, are supposed to be parties acting on behalf of governments, which certainly is a scary thought.
And this isn’t the first time that Twitter and its users’ info has allegedly been misused for political agendas. Last year, 88,000 accounts from Saudi Arabia were suspended by the company for “manipulating” the platform as part of a state-backed information campaign. And Google has also revealed data privacy concerns of its own—some users reportedly had their private videos sent to total strangers while backing up their images on Google Photos.