Twitter has publicly disclosed a security “incident” that points to long-standing problems with how the service handles phone numbers. Twitter announced it had discovered and shut down “a large network of fake accounts” that were uploading large numbers of phone numbers and using tools in Twitter’s API to match them to individual usernames. This type of activity can be used to build a reverse-lookup tool, to find the phone number associated with a given username.
It turns out at least one of those people uploading massive lists of phone numbers was a security researcher, whose findings TechCrunch reported on in December.
Problems with tools that allow users to find accounts using the phone numbers associated with them are not new at Twitter (or at Facebook, for that matter). And, given the way these features are designed, their potential for abuse is not likely to go away anytime soon.
The best way for Twitter to protect its users is to minimize the number of accounts with phone numbers tied to them, and make it clear to users when and how those numbers might be exposed. That’s why Twitter needs to stop pressuring users to add their phone numbers to their profiles and stop making those phone numbers discoverable by default.
How It Works
When you are new to a service or first download an app, you may see a prompt to upload your contacts to find people you already know on the app. Twitter offers one of those contact upload tools.
The problem is that, if Twitter wants to connect you with your friends via their phone numbers, it needs to offer an API to support it. While that kind of API can and should come with limitations to prevent someone from maliciously revealing people’s identities and contact information, there will almost always be a way around it. In Twitter’s case, one of the limitations in place was to reject anyone who tried to upload a long list of sequential phone numbers—a sign that this person was almost certainly not uploading an address book in an attempt to find friends.
The workaround is almost comically simple: someone could just upload a long list of randomized phone numbers instead. And that’s how the security researcher whose work tipped Twitter off to this problem was able to match up phone numbers and usernames not just for people in his contacts, but for 17 million unsuspecting Twitter users, including high-profile officials and politicians around the world.
Who It Affects
This tool can only match phone numbers to Twitter accounts for those who 1) have “phone number discoverability” turned on in their settings and 2) have a phone number associated with their account. If neither of those are true for you, then your account was not exposed by this problem. For a step-by-step guide to checking your settings, visit our tutorial here.
This is not the only time Twitter has recently messed up its management and protection of user phone numbers: just last October Twitter fessed up to using users’ two-factor authentication numbers for targeted advertising.
But, then as now, Twitter’s plans to fix the problems that exposed user information in the first place are troublingly vague. Twitter’s announcement claimed that the company has made a “number of changes to this [contact upload tool] so that it could no longer return specific account names in response to queries.”
But what exactly are those changes, and how will they work? After failing the public trust, Twitter owes its users more transparency so that they can judge for themselves whether the fixes were adequate.