Verified Twitter Vulnerability Exposes Data from 5.4 Million Accounts

A verified Twitter vulnerability from January has been exploited by a threat actor to gain account data allegedly from 5.4 million users. While Twitter has since patched the vulnerability, the database allegedly acquired from this exploit is now being sold on a popular hacking forum, posted earlier today.

Back in January, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and/or email address associated with Twitter accounts, even if the user has hidden these fields in the privacy settings.

The bug was specific to Twitter’s Android client and occurred with Twitter’s Authorization process.

The HackerOne user “zhirinovskiy” submitted the bug report on January 1st of this year. He described the potential consequences of this vulnerability as a serious threat that could be exploited by threat actors.

This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities

– HackerOne user

The HackerOne report subsequently lays out exactly how to replicate the vulnerability and acquire the data from a targeted Twitter account.

Five days after posting the report, Twitter staff acknowledged this to

Read more

Explore the site

More from the blog

Latest News