Last December, we told you about a Twitter bug that allowed users to match phone numbers with the actual Twitter accounts. The malicious code possibly compromised around 17 million accounts, with probably a lot of them choosing to remain anonymous for various reasons. Twitter now shares that they discovered a lot of those accounts who abused this API may possibly have state-sponsored connections, adding another disturbing layer to this already problematic issue. They previously made changes already to fix this but disclosed these latest findings for the sake of transparency.
When Twitter found out that some bad actors were exploiting the API to match usernames with phone numbers, they suspended the accounts and made several changes to that the endpoint will no longer return specific account names in response to queries. They also confirmed that users who did not have the “Let people who have your phone number find you on Twitter” enabled were not exposed to the vulnerability.
Further investigation revealed that a particular high volume of requests to exploit this API came from IP addresses in Iran, Israel, and Malaysia. They suspect that these accounts have a high probability of having state-sponsored connections. Twitter has made it a priority to protect the platform and its users from “platform manipulation and state-backed activity”. You can read more about it in their Twitter Transparency Report.
Twitter has become a tool for dissidents who are speaking out against repressive governments and in these cases, anonymity is of utmost importance. If these users were easy to find through manipulation of the API, the consequences could be dire. It’s good that Twitter has taken steps to suspend accounts and assure users that this will not happen. Hopefully no one was unnecessarily exposed because of this bug.
Twitter has not revealed how many users were affected and if they notified accounts that may have been compromised. If they really want to improve on transparency, this is something that they should be doing and disclosing.