Twitter has not had the best of years when it comes to data security or privacy concerns. The firm has admitted to accidentally sharing location data of some iOS users with a partner back in May and apologized for using users’ personal information for advertising without their consent. Now, a security researcher, Ibrahim Balic, talking to TechCrunch, has revealed that the Twitter for Android app’s bug helped him match 17 million phone numbers to Twitter accounts.
The exploit of the bug is done through the contact upload feature in the app. The researcher adds that “If you upload your phone number, it fetches user data in return” and while the contact upload feature does not allow the upload of a sequential list of numbers to likely avoid misuse, randomized numbers could be uploaded to then retrieve account information matching the number.
While the issue was not reported to Twitter directly, the person did share this information with some of the users that he found numbers of, warning them of the flaw. Accounts matched included ones from countries such as Israel, Turkey, Iran, Greece, Armenia, France, and Germany.
The individual generated around two billion phone numbers in sequence over a period of two months, randomized them and uploaded them to the Twitter for Android app. However, Twitter blocked the researcher’s efforts on 20 December.
The company hasn’t yet officially acknowledged the bug in the app, and it is not known if a recent blog post pertaining to a fix to an Android security issue had to also do with this particular issue. However, one would hope that the company provides an update on whether the bug allowing for such a breach has been fixed, or if users need to take any actions in order to secure their information.