Twitter cites ‘Iran & Israel state actors’ after suspending researcher who exposed new user-data flaw
Twitter, in a post so reassuring it's alarming, says it stopped possible state-backed actors in Iran and Israel from exploiting its features. But the only clear 'actor' may be a lone researcher who reported the bug six weeks ago.
"Iran, Israel and Malaysia suspected of exploiting Twitter phone number security flaw," read a headline on Sky News. "Twitter: Israel, Iran may have accessed users' phone numbers," warned the Jerusalem Post.
So what did those bad privacy-violating ayatollahs in Tehran and intrepid privacy-defying IDF hackers do this time? They exploited Twitter's "contact upload" feature to match handles with phone numbers.
"We observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," the tech giant said in a blog post. "It is possible that some of these IP addresses may have ties to state-sponsored actors."
Those are strong, click-worthy headlines, but what about evidence that the respective governments were actually involved, beyond "possible" and "may have"? Eh.
Also on rt.com Microsoft in trouble after revelation unvetted Chinese contractors listened in on Skype calls with NO securityTwitter also cautiously avoided mentioning the number of user accounts exploited through this bug, but provided assurance that everyone is now safe after the software changes it made. The bad guys, whoever they may be, have been punished with suspension.
Well, we don't really know who the bad guys were, but the only identifiable 'actor' punished for the data leak is Ibrahim Balic, a Turkish cybersecurity researcher based in London, who reported that he had managed to match 17 million phone numbers to Twitter accounts thanks to a flaw in its Android app.
"Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany… but stopped after Twitter blocked the effort on December 20," TechCrunch said in a report about his endeavor.
Balic had no malicious intent. While he didn't alert Twitter to the gap in user privacy, he did make an effort to warn "high-profile" users directly. Incidentally, the report was published on December 24, 2019 – the same day when Twitter said it discovered the vulnerability.
Balic's personal Twitter handle, it's worth mentioning, remains suspended.
Twitter suspended the verified account for Ibrahim Balic (@b4l1c), the security researcher who documented the security hole that let him unmask the mobile phone numbers for 17 million Twitter accounts.They suspended his new account @balictw within an hour of its creation. https://t.co/0sQfdydAWz
— Chad Loder (@chadloder) December 26, 2019
Maybe there is no connection and Twitter, a noble crusader for privacy and an opponent of oppressive regimes worldwide, has done a good job protecting user data from snooping. Or maybe it simply prefers headlines mentioning state-backed actors from Iran to those saying something along the lines of "tech giant again screws over users who voluntarily provided their personal information for sake of convenience." Who knows?
Like this story? Share it with a friend!