Total Tests:

Twitter Warns ‘State-Sponsored Actors’ Accessed Phone Numbers

By Tom Jowitt for Silicon UK
Tuesday, February 4, 2020

Security experts were quick to highlight how bug bounty programs may not work when trying to located weaknesses in APIs.

“Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security,” said Ilia Kolochenko, founder & CEO of security company ImmuniWeb.

“Their complexity and obscurity hinder security testing with traditional tools and automated scanners, and many dangerous security flaws remain undetected,” said Kolochenko.

“Often they are riddled with a full spectrum of OWASP API Security Top 10 issues, some of which are intricately intertwined and require chained exploitations,” said Kolochenko. “It seems that Twitter’s bug bounty has been futile when detecting the vulnerability in a timely manner.”

“The security vulnerability in question is comparatively riskless in light of a myriad of avenues to obtain someone’s phone number, including social engineering and OSINT methodologies,” said Kolochenko. “Twitter’s claims about the involvement of ‘IPs of state-sponsored actors’ are a bit incomprehensible without further details. Today, it is virtually impossible to reliably attribute an attack, and I think nation-state actors have access to much more dangerous vulnerabilities affecting Twitter and its suppliers.” Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential