Total Tests:

Twitter Says State Actors Were Raiding a Valid API to Mine User’s Phone Numbers

By Conor Reynolds for Computer Business Review
Wednesday, February 5, 2020

The API raid came two months after Twitter admitted that it had ‘inadvertently’ used emails and phone numbers taken solely for 2FA purposes to create targeted ads.

Ilia Kolochenko, CEO of web security company ImmuniWeb told Computer Business Review in an emailed statement: “Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security.

“[But] the security vulnerability in question (this weeks exploit announcement) is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies.

He added: “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”

Twitter said it has “immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint.” Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential