TECH NEWS – A new flaw in Elon Musk’s wanted/unwanted (delete as requested…) social networking site has exposed the identities behind millions of accounts on a forum frequented by hackers. Although Twitter has since fixed the bug, it doesn’t inspire much confidence…
So there was a loophole to use the information entered in a login flow to find out the account’s phone number or email address. In a blog post, Twitter wrote, “As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with if any.”
This bug popped up via Twitter’s code update last June and was fixed in January by the company’s bug bounty program. When Twitter first heard about the bug, there was no evidence that anyone had exploited the vulnerability. However, that is not true, as the bug report came late, as there were malicious individuals who took advantage of the security flaw. Bleeping Computer reported that a hacker was able to sell a database containing the phone numbers and email addresses of 5.4 million users. For this, he was paid 30,000 dollars. That doesn’t seem like a considerable sum. Perhaps the hacker underestimated himself?
Twitter confirmed, “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.” (This was a contradiction in terms.) They did not say how many accounts were affected, but those using pseudonyms were not spared. The hacker passed on data about celebrities, companies, and random users. Anyone affected will be notified by Twitter, so a change of phone number and/or email address is recommended.
Passwords were not obtained, so this is all the joy in the void.