Twitter accidentally exposed the possibility of extracting the country code from the telephone number of an account and if the account has been locked by Twitter. The problem here is that malicious actors could have used the security hole to determine which countries the accounts were based in, which could have ramifications for whistleblowers or political dissidents.
The problem came from one of the support forms for contacting the company, and the company found that a large number of requests through the form were from IP addresses located in China and Saudi Arabia. Twitter writes: “While we cannot confirm intent or attribution with certainty, it is possible that some of these IP addresses have links to state-sponsored actors. We asked for more information on why he suggests this. Attribution in these situations can be murky, and naming specific countries or suggesting state actors might be involved has far-reaching implications.
Twitter started working on the issue on November 15 and fixed it on November 16. Twitter tells TechCrunch that it has informed the European Union’s Data Protection Commissioner as EU citizens may have been affected. However, because country codes are not necessarily considered sensitive personal information, the leak may not trigger GDPR enforcement or fines. Twitter tells us that it has also updated the FTC and other regulators on the issue, although we asked when it informed these various regulators.
Twitter directly contacted users affected by the issue and said full phone numbers had not been disclosed and users had nothing to do in response. Users can contact Twitter here for more information. We asked how many accounts were affected, but Twitter told us it has no more data to share as its investigation continues.
A Twitter spokesperson pointed out to us a previous statement:
It is clear that the coordinated IO and inauthentic behavior will not cease. These types of tactics have been around much longer than Twitter – they will adapt and change as the geopolitical terrain evolves around the world and new technologies emerge. For our part, we are committed to understanding how actors of bad faith use our services. We will continue to proactively fight against nefarious attempts to undermine the integrity of Twitter, while partnering with civil society, government, our industry peers and researchers to improve our collective understanding of coordinated attempts. interference in public conversation.
Sloppy security from tech companies can make it dangerous for political dissidents or others at odds with their governments. Twitter explains that it locks down accounts if it suspects they have been compromised by hackers or violate “Twitter rules,” which include “illegal use” which largely depends on what national governments deem illegal. What’s concerning is that attackers with IP addresses in China or Saudi Arabia could have used the exploit to confirm that some accounts belonged to users in their country and whether they were locked out. This information could be used to track down the people who have these accounts.
The company apologized, writing, “We recognize and appreciate the trust you place in us, and we are committed to earning that trust every day.” We are sorry that this has happened. But it echoes other excuses from big tech companies that consistently ring hollow. Here, in particular, he fails to recognize how the leak could harm people and how it will prevent this sort of thing from happening again. With these companies being judged quarterly on the growth of their users and business, they are prompted to cut corners on security, privacy and societal impact as they seek favor on Wall Street.