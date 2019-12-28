A Twitter spokesperson told the website that the company is working to ensure the bug in its Android app cannot be exploited again. (Image: Bloomberg) A Twitter spokesperson told the website that the company is working to ensure the bug in its Android app cannot be exploited again. (Image: Bloomberg)

A security researcher exploited a bug in Twitter’s Android app to close to 17 million mobile numbers to their respective user accounts on the platform. Ibrahim Balic told TechCrunch that he was able to match phone numbers to users in Israel, Turkey, Iran, Greece, Armenia, France and Germany over a two-month period.

Many phone numbers that Balic accessed reportedly belonged politicians and other high-profile officials. Though Balic did not reveal the bug to Twitter, he warned some users directly. On December 20, Twitter blocked his efforts after it learned about the bug.

A Twitter spokesperson told the website that the company is working to ensure the bug in its Android app cannot be exploited again. Meanwhile, it has suspended the accounts that were used to access people’s personal information without consent.

Twitter’s contact upload feature did not allow Balic to access lists of phone numbers in sequential format so he randomised over two billion phone numbers that he generated one after the other to upload to Twitter’s Android app and then match them with Twitter accounts.

He also provided TechCrunch with a sample of phone numbers he matched, out of which the website was able to identify one was of a senior Israeli politician. “Using the site’s password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided,” as per the report.

This is not the first time that Twitter is under fire for privacy concerns. Earlier this week, Twitter revealed that it has fixed a vulnerability within its Android app that could allow hackers to access private information of users or control their account. Whether it is the same vulnerability exploited by Balic or a different one is unclear.

