Twitter fixes a vulnerability that exposed 5.4 million accounts, and rewards its discoverer

Twitter has announced that it has successfully fixed a security flaw that exposed 5.4 million of its accounts. This vulnerability allowed some threat actors to collect information on affected accounts.

Details of the security vulnerability that Twitter has been exposed to

Because of this vulnerability, it became possible for anyone to enter a phone number, or an email address, and see if that number or email is associated with a Twitter account. This allows revealing the identity of the owners of Twitter pseudonyms.

“If someone provides an email address or phone number to Twitter’s systems, Twitter’s systems will tell the person the Twitter account associated with the email addresses or phone number, if any,” the company said in a statement.

BuzzFeed used a similar flaw in Twitter\’s systems in 2015. It took advantage of this vulnerability to expose the burning account of an extremist politician in Australia. Although this was useful, it is the widespread use of this process that can lead to problems.

This is exactly what happened this time, as it was reported that hackers had already exploited the vulnerability before it was installed, to create a database of email addresses and phone numbers for 5.4 million Twitter accounts.

Twitter said: “In July 2022, we learned through a press report that someone had taken advantage of this and was offering to sell the information they had collected. After reviewing a sample of data available for sale, we confirmed that a bad actor had taken advantage of the problem before it was addressed. Therefore, we will directly notify account owners who we can confirm are affected by this issue.”

After contacting the person who exploited the security flaw, it was found that he had collected a database of 5.4 million Twitter account profiles. Including phone numbers including a verified phone number or email address, revealing general information such as the number of followers, screen name, login name, location, profile picture URL, and other information.

He was looking to sell the dataset for around $30,000. Many buyers are said to have gotten the cache since then.

Twitter rewards vulnerability finder

It was mentioned in a report by security researchers in Twitter\’s Bounty Bug program, in June 2021. But the company investigated and fixed the matter in January 2022, which is 6 months after the bug was entered into its codebase. Twitter has rewarded the security researcher who discovered the vulnerability with $6000.

How dangerous is this Twitter vulnerability

This security issue is not new to Twitter. It is similar to a vulnerability discovered in late 2019. It allowed security researchers to match 17 million phone numbers to Twitter accounts.

 However, this flaw is not considered a serious breach, as this data is often publicly available. But for users who have been looking to keep their profile private and separate from their real-world identity (IRL), or those who might tweet about contentious topics, this means that people are likely to track their phone numbers through this list, harassing them in a way All-new and more extreme.