Flaw in Twitter form may have been abused by nation states

Flaw in Twitter form may have been abused by nation states

Twitter announced in a blog post on Monday that they discovered and addressed a security flaw on one of their support forms. The discovery was made on November 15 — more than a month ago — and was promptly fixed the next day. From the Twitter blog on this issue:

We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account. This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.

They go on to add:

Importantly, this issue did not expose full phone numbers or any other personal data. We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted.

Country codes, take me home

While a country code isn’t treated or considered by many as sensitive information, some warn that it is enough to clue in attackers on whether a registered mobile number (with country code) is associated with a Twitter account. This means that cybercriminals could find the true country locations of Twitter users. This could be dangerous for those in countries with freedom of speech–related privacy concerns.

Twitter is currently investigating the possibility that the flaw may have been abused by potential nation-state actors, particularly from IP addresses associated with Saudi Arabia and China.

As if this weren’t enough of a headache for the social media giant, Peerzada Fawaz Ahmad Qureshi, an independent security researcher who goes by @Fawaz on Twitter, has stepped forward to disclose that he had reported the flaw to Twitter via HackerOne, a bug bounty platform, more than two years ago. Twitter took no action, however, deeming the bug as non-critical before marking the report an “informative” one.

Wait! That’s not all

This announcement comes hot on the heels of a Trend Micro report about malicious Twitter users abusing the social media platform to stealthily communicate with malware using stenography, the method of hiding messages in images. In this case, the malicious actors have hidden commands in memes found in every nook and cranny of Twitter—hiding-in-plain-sight at its finest.

This isn’t the first time Twitter has been used as a comms hub for malware. Back in 2009, a DIY botnet kit was discovered that brought social media–controlled infection hijinks to the masses, allowing malware authors with rudimentary skills to use Twitter to send commands.

Stock, drop, and roll

Outside of bot action, the news of Twitter’s investigation triggered a dramatic drop in the company’s stock share prices. It promises to be a rollercoaster-ride ending to 2018 for those trying to keep both Twitter and its users safe from harm.

If you use the social media platform and are worried about potential breach, Twitter’s advice is simply: do nothing. While these mishaps may have been close calls instead of direct hits, one hopes that in 2019, we’ll all be a little more proactive—and a lot more reassured—about using our favorite portals and communication channels safely.