A security researcher found a bug in Twitter’s support form two years ago that exposed the country codes of phone numbers attached to users’ accounts. At the time, his bug report was closed as it did “not appear to present a significant security risk.”
Twitter now says that the bug may have been abused by nation-state actors.
“We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account,” said Twitter in its disclosure. “This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.”
Peerzada Fawaz Ahmad Qureshi reported the bug through HackerOne, which hosts Twitter’s bug reporting program, in the hope of a fix and a bounty payout, but the report was marked as “informative” and no action was taken.
Qureshi shared his bug report with TechCrunch after learning of Monday’s disclosure, in which he described how it was “possible to map out whether a mobile number is attached to a Twitter account including the country where the mobile number is registered by identifying the country code.”
The bug report detailed how anyone could obtain the country code of a phone number from anyone’s account by running through the site’s password reset process. By selecting “I don’t have access” to an email address associated with an account, the form would change and would allow a user to enter a phone number instead. But, when that page loaded, it would automatically select the account holder’s country code by default.
Although only the country code was leaked, some say it would be enough to identify in which country an account holder lives — which could be dangerous in regions where freedom of speech and expression is restricted.
But after the bug was triaged, it was determined that “while this may or may not be ideal behavior, we don’t consider the disclosure of a user’s country code to be sensitive information at this time.”
Little did the company know that the bug could have been later exploited by running a “large number of inquiries” in one go, as Twitter said in its Monday disclosure.
It’s still not known exactly how the form was abused to allow the mass scraping of account-specific country codes. When reached, a Twitter spokesperson said that the bug was caused by an API that only supported the webform, and was not a developer API — but declined to comment further when pressed on specifics of Qureshi’s report. Qureshi said it was possible that the webform’s API wasn’t rate limited — allowing someone “to enumerate users who had a mobile number linked” to their account, he said — but could not confirm as he did not test the limits of the API.
When checked on Tuesday, the webform no longer displays a user’s country code by default — effectively nixing the bug.
Twitter said that it discovered the bug on November 15 — a little over a month ago — and was fixed a day later, and suggested — without providing evidence — that the data may have been scraped from IP addresses associated with China and Saudi Arabia. But the company didn’t say how many users were affected by the bug, but said it was “sorry this happened.”
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.