Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Two information-disclosing bugs found in Twitter Android

In the span of five days, reports of two Twitter Android app vulnerabilities have surfaced: one that could cause attackers to view nonpublic account information or control accounts, and another that reportedly allowed a researcher to look up details on 17 million accounts.

In a Dec. 20 blog post, Twitter noted that it issued an app update to fix the first bug, which can be exploited via a "complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app." Successfully performing this exploit would allow a malicious actor to access information such as direct messages, protected tweets and location information. However, Twitter said there is no evidence to suggest that anyone has successfully executed such an attack.

The San Francisco-based social media company said it has taken steps to notify and provide instructions to people that may have been exposed to the bug.

Then on Dec. 24, TechCrunch reported a second information-revealing vulnerability in the same app, citing findings from security researcher Ibrahim Balic. Balic told the news organization that he was able to use the vulnerability to match 17 million phone numbers to their respective accounts, after uploading huge lists of phone numbers through the contacts upload feature.

Although the contacts upload feature does not accept lists of phone number in sequential format, Balic reportedly said that he was able to circumvent this obstacle by generating over 2 billion phone numbers and then randomizing them before uploading them. Balic reportedly used hundreds of fake accounts to conduct his experiment, and ultimately retrieved records from users around the world, including some belonging to politicians and officials.

Reportedly, Balic elected to inform TechCrunch instead of alerting Twitter, which blocked the researcher's efforts as of Dec. 20. "Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information," said a Twitter spokesperson, according to TechCrunch. "Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs." The spokesperson reportedly also said that Twitter was working to ensure that no one can exploit this bug in the future.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.