Twitter shut down a serious safety flaw however not earlier than a hacker uncovered 5.4 million customers


TL;DR: Twitter acknowledged an information breach which will have unmasked pseudonymous person accounts. Whereas it did not float any precise numbers, earlier studies indicated a vulnerability uncovered greater than 5.4 million Twitter IDs and related telephone numbers and e-mail addresses. Twitter patched the safety gap in January, however a “dangerous actor” claims he used it the month earlier than to scrape the info.

Final week, Twitter confirmed that hackers had compromised some accounts on its platform. Builders created the flaw with a June 2021 replace for its Android consumer, that allowed a foul actor to affiliate person accounts with e-mail addresses and telephone numbers. Twitter realized of the vulnerability by means of its bug bounty program in January 2022 and patched it instantly pondering that no person had been affected.

Nonetheless, final month BleepingComputer reported it had discovered a database on a hacker discussion board containing the telephone numbers and e-mail addresses related to over 5.4 million Twitter accounts.

“Hey, right now I current you information collected on a number of customers who use Twitter through a vulnerability. (5485636 customers to be actual),” the hacker who calls himself “satan” stated in his publish. “These customers vary from Celebrities, to Firms, randoms, OGs, and so forth [sic].”

Restore Privateness notes that satan needs to get no less than $30,000 for the stolen information and stated that he’d already had some bites from events.

A safety researcher and bug bounty hunter going by “zhirinovskiy” says the flaw lets anybody get hold of the Twitter ID of any person by submitting a telephone quantity/e-mail. The exploit works even when a person’s account is about to be undiscoverable within the settings. It additionally requires no authentication — only a handful of code.

“The bug exists because of the proccess of authorization used within the Android Shopper of Twitter,” zhirinovskiy stated, who reported the flaw by means of HackerOne. “Particularly within the procces of checking the duplication of a Twitter account [sic].”

Basically, satan would feed the system telephone numbers or emails and it will return whether or not these have been related to Twitter IDs. From there it is a pretty easy matter to create a profile from publicly accessible posts and different data.

Zhirinovskiy reported the flaw to Twitter on January 1, and builders issued a repair on January 13. Nonetheless, satan claims he collected the info in December 2021 earlier than it was patched. Some have steered that satan and zhirinovskiy are the identical particular person and that he’s attempting to money out on each ends. Satan denies these allegations with virtually an excessive amount of vigor — as if he has one thing to cover.

“I do not wish to white hat in hassle who reported it on H1 [sic],” he advised BleepingComputer. “I assume lots of people try to attach him to me, I might be pissed if I used to be him. So I cant stress this sufficient I’ve nothing to do w him nor H1.”

Twitter’s affirmation doesn’t point out the variety of compromised person accounts, however it’s fairly clear we’re coping with the identical vulnerability that zhirinovskiy reported and satan exploited. The corporate stated that it will notify affected customers, presumably by means of their now uncovered e-mail handle. It significantly famous nameless accounts.

“When you function a pseudonymous Twitter account, we perceive the dangers an incident like this may introduce and deeply remorse that this occurred. To maintain your identification as veiled as doable, we suggest not including a publicly identified telephone quantity or e-mail handle to your Twitter account.”

Though passwords weren’t compromised, Twitter advises any customers with considerations to make use of two-factor authentication apps or {hardware} safety keys to guard their accounts.

Picture credit score: Discussion board Submit by BleepingComputer, Satan Chat by Restore Privateness

Supply hyperlink

The post Twitter shut down a serious safety flaw however not earlier than a hacker uncovered 5.4 million customers appeared first on Zbout.





Source link

TL;DR: Twitter acknowledged an information breach which will have unmasked pseudonymous person accounts. Whereas it did not float any precise numbers, earlier studies indicated a vulnerability uncovered greater than 5.4 million Twitter IDs and related telephone numbers and e-mail addresses. Twitter patched the safety gap in January, however a “dangerous actor” claims he used it…