In a statement published today, Twitter disclosed a security incident during which third-parties exploited the company’s official API (Application Programming Interface) to match phone numbers with Twitter usernames.
In an email seeking clarifications about the incident, Twitter told ZDNet that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames.
Twitter says that following this report it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames.
During its investigation into the report, the social network told ZDNet that it also discovered additional evidence that this API bug had also been exploited by other third-parties, beyond the security researcher at the heart of the TechCrunch report.
Twitter did not clarify who these third-parties were, but it did say that some of the IP addresses used in these API exploitation attempts had ties to state-sponsored actors, a term used to described either government intelligence agencies, or third-party hacking groups that benefit from a government’s backing.
The company said it is disclosing today the findings of its investigation “out of an abundance of caution and as a matter of principle.”
The Twitter API bug that was abused in the attack
According to Twitter, the attackers exploited a legitimate API endpoint that allows new account holders to find people they know on Twitter. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts.
Twitter says the attacks did not impact all Twitter users, but only those who enabled an option in their settings section to allow phone number-based matching.
“People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability,” Twitter said.
The social network said it immediately made a number of changes to this endpoint after it detected the attack “so that it could no longer return specific account names in response to queries.”
Article was rewritten and updated on 6:00pm ET based on the additional information provided by a Twitter spokesperson.