Twitter Says State Actors Were Raiding a Valid API to Mine User’s Phone Numbers
Wednesday, February 5, 2020
The API raid came two months after Twitter admitted that it had ‘inadvertently’ used emails and phone numbers taken solely for 2FA purposes to create targeted ads.
Ilia Kolochenko, CEO of web security company ImmuniWeb told Computer Business Review in an emailed statement: “Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security.
“[But] the security vulnerability in question (this weeks exploit announcement) is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies.
He added: “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.”
Twitter said it has “immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint.” Read Full Article
Siècle Digital: Alarmant: 97% des plus grands aéroports du monde ont un niveau de cybersécurité insuffisant
Silicon UK: Twitter Warns ‘State-Sponsored Actors’ Accessed Phone Numbers