In the span of five days, reports of two Twitter Android app vulnerabilities have surfaced: one that could cause attackers to view nonpublic account information or control accounts, and another that reportedly allowed a researcher to look up details on 17 million accounts.
In a Dec. 20 blog post, Twitter noted that it issued an app update to fix the first bug, which can be exploited via a "complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app." Successfully performing this exploit would allow a malicious actor to access information such as direct messages, protected tweets and location information. However, Twitter said there is no evidence to suggest that anyone has successfully executed such an attack.
The San Francisco-based social media company said it has taken steps to notify and provide instructions to people that may have been exposed to the bug.
Then on Dec. 24, TechCrunch reported a second information-revealing vulnerability in the same app, citing findings from security researcher Ibrahim Balic. Balic told the news organization that he was able to use the vulnerability to match 17 million phone numbers to their respective accounts, after uploading huge lists of phone numbers through the contacts upload feature.
Although the contacts upload feature does not accept lists of phone number in sequential format, Balic reportedly said that he was able to circumvent this obstacle by generating over 2 billion phone numbers and then randomizing them before uploading them. Balic reportedly used hundreds of fake accounts to conduct his experiment, and ultimately retrieved records from users around the world, including some belonging to politicians and officials.
Reportedly, Balic elected to inform TechCrunch instead of alerting Twitter, which blocked the researcher's efforts as of Dec. 20. "Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information," said a Twitter spokesperson, according to TechCrunch. "Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs." The spokesperson reportedly also said that Twitter was working to ensure that no one can exploit this bug in the future.