Twitter says zero-day bug leaked account data

By

User enumeration bug created in July 2021, plugged in January 2022.

Twitter has revealed that its July data breach, which resulted in millions of user accounts being offered for sale, was the result of an exploited zero-day vulnerability.

Twitter says zero-day bug leaked account data

In late July, someone identified only by their handle, “devil”, posted to Breached Forums that they had 5.4 million Twitter user accounts and would sell the data for US$30,000, as reported by Restore Privacy.

Twitter has now acknowledged that the account data was obtained through the exploitation of a zero-day vulnerability it first learned about in January 2022.

In a mea culpa published last week, Twitter explained that it was notified of the issue through its Hacker One bug bounty program.

A software update in July 2021 contained a user enumeration bug, the company said.

An attacker with knowledge of the bug could use telephone numbers to find out if a user account existed.

As “zhirinovskiy” explained in their Hacker One report, the bug meant an attacker could discover a Twitter account by phone number or email address, “even if the user has prohibited this in the privacy options”.

“The bug exists due to the process of authorisation used in the Android client of Twitter, specifically in the process of checking the duplication of a Twitter account."

Zhirinovskiy was paid US$5040 (A$7273) for the report.

As Twitter’s post confirmed, the bug “allowed someone to enter a phone number or email address into the log-in flow in an attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.”

Emails could also be used in the same way, Twitter’s post stated.

“When we learned about this, we immediately investigated and fixed it,” Twitter said.

“In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.”

Twitter explained that it published the post because it was not able to contact all the affected users, especially those who were maintaining pseudonymous accounts.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
breachsecuritytwitter

Sponsored Whitepapers

Gain an independent witness with body-worn cameras
Gain an independent witness with body-worn cameras
Gain an independent witness with body-worn cameras
Gain an independent witness with body-worn cameras
Trust Imperative 4.0
Trust Imperative 4.0
Centralized Remote Connectivity for State & Local Government
Centralized Remote Connectivity for State & Local Government
Global Employee Experience Trends Report
Global Employee Experience Trends Report

Events

Most Read Articles

Macquarie Uni to spend up to $700m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation
Nissan A/NZ's outsourced cyber incident call centre breached

Nissan A/NZ's outsourced cyber incident call centre breached
Digital ID bill passes parliament

Digital ID bill passes parliament
Macquarie's banking CISO headed to Endeavour Group

Macquarie's banking CISO headed to Endeavour Group

Digital Nation

COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
State of Security 2023
State of Security 2023

Log In

  |  Forgot your password?