Twitter Zero-Day Exposed Data Of 5.4 Million Accounts

Contents

Summary Of The Attack

  • Social media platform Twitter suffered a zero-day vulnerability which allowed the attackers access to personal information of 5.4 million accounts.
  • The vulnerability was being exploited in December 2021, but reported to Twitter through HackerOne’s bug bounty platform in January 2022.
  • The security researcher was awarded $5,040 for his findings.
  • The vulnerability allows any party without any authentication to obtain a twitter ID of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.
  • The vulnerability is now patched and recommended precautionary measures are enabling 2FA and refraining from linking personal information to your twitter account.
.

What Happened?

Social media platform Twitter confirmed they suffered a now-patched zero-day vulnerability, used to link email addresses and phone numbers to users’ accounts, which allowed attackers to gain access to the personal information of 5.4 million users.

What Is A Zero-Day?

A zero-day vulnerability is a weakness in software that has been discovered by a threat actor but is still unknown to the developer.

It’s called “zero-day” because once a threat actor detects the vulnerability, the software vendor essentially has “zero time” to patch it before it’s exploited.

Zero-day vulnerabilities can stem from software bugs, weak passwords, or lack of authorization and encryption.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

How Does The Twitter Zero-Day Attack Work?

The vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID.

Twitter’s Zero Day Details

More technically, what the security researcher zhirinovsky reported on HackerOne’s bug bounty platform is that this vulnerability allows any party without any authentication to obtain a Twitter ID (which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings.

As he stated, the bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.

The security researcher reported the vulnerability in January 2022 and the company awarded a $5,040 bounty for his findings.

Prior to that, the attackers created profiles of 5.4 million Twitter users in December 2021 and scraped public information, such as follower counts, screen name, login name, location, profile picture, URL, and other information.

The data was sold on the market for about $30,000.

From Twitter’s statements, this bug resulted from an update to their code in June 2021. When they learned about this, they immediately investigated and fixed it.

At that time, the company had no evidence to suggest someone had taken advantage of the vulnerability.

Scope Of The Threat

The researcher in its report expressed that this is a very serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big part of the Twitter user base unavailable to enumeration prior.

Such bases can be sold to malicious parties for advertising purposes or malicious activities.

redacted example of one of the generated Twitter profiles

A redacted example of one of the generated Twitter profiles.

Mitigation Steps Being Taken

In their official statement released on August 5, 2022, the tech giant pointed out that no passwords were exposed, but they encouraged their users to enable two-factor authentication apps or hardware security keys to protect their accounts from unauthorized logins.

And for all the users that operate a pseudonymous Twitter account, they recommended that not adding a publicly known phone number or email address to the Twitter account would be the best point of action in order to keep their identity as veiled as possible.

Lastly, even though most of the data being sold is publicly available, threat actors can use the data exposed in targeted phishing attacks.

Because of that, all Twitter users should be aware when receiving emails from Twitter, especially if the email demands urgency and sensitive information, like asking you to enter login credentials, which users should only be able to do on the official platform.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Related Breaches