Twitter Flaw Leaves Pseudonymous Users Vulnerable
A vulnerability in Twitter systems, uncovered last January through the company’s bug bounty program, was exploited by a bad actor that linked private information with Twitter accounts—but the social media platform did not spell out the extent of the incident.
The company was alerted in January to the vulnerability, which let someone who submitted an email address or phone number to Twitter’s systems find out “what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in a blog post; Twitter noted that the vulnerability was quickly addressed with an update to its code.
But in July 2022, Twitter “learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled,” Twitter said. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”
“The collection and reuse of exposed data sets has provided criminals operating in the underground with an entirely new ecosystem, whereby data mining and resale has become a profitable business in its own right,” said researchers at Intel 471. “Opportunistic threats such as those described in this instance are being regularly sought as a means of deriving something of value for sale in the underground.”
Twitter acknowledged that it could not determine all the accounts that had been affected, but said they were acutely aware that the exploitation could particularly affect “people with pseudonymous accounts who can be targeted by state or other actors.”
“If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened,” Twitter said. “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.”
Users “operating pseudonymous accounts on social media whom may be targeted by nation states or financially motivated actors should focus closely on their own operational security and increasing their ability to monitor and detect when potential impact occurs,” Intel 471 researchers pointed out. “Threat actors themselves will regularly try to do so for the purpose of preventing their identification and ultimately, preventing their own arrest. Guides and manuals are even regularly shared within the trusted network of criminal forums and messaging services to try to uplift security.”
John Bambenek, principal threat hunter at Netenrich, said that the Twitter incident, at its core, “only affects users who are trying to anonymously use Twitter. For anyone trying to use social media under a pseudonym who is concerned about their privacy, they should use a unique email and phone number for that pseudonym and be vigilant that they don’t have any data points that allow an adversary to link the pseudonym to their real identity.”
He stressed the ease with which bad actors could uncover the identity of someone like him. “For instance, doing what I do and living in a small community, location data could be enough to link me to a pseudonym if I am not careful,” he said.
“While the data loss here doesn’t really count as a breach, the leakage allowing threat actors to link anonymous accounts to their user’s phone numbers or email addresses is problematic for the people affected,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “With the vulnerability existing since mid-2021, and being reported and corrected in early 2022, it is interesting that it is only being openly reported now. Threat actors were able to exploit the vulnerability for months and users are only hearing about it now.”
“Twitter corrected the issue, so new accounts aren’t vulnerable,” said Parkin. “The upside, if there is one, is that people who are genuinely and knowingly at risk are often using additional layers of anonymity already.”
The Twitter leak highlighted that bug bounties have played a key role in exposing vulnerabilities missed by even the most tech-savvy companies. “This serves as another example of the critical role that security researchers and bug bounty programs play in identifying vulnerabilities that can affect millions of people,” said Darren Guccione, CEO and co-founder at Keeper Security.
