Twitter accounts exposed in major security snafu
Twitter says a flaw in its code exposed the identities of certain account holders
A flaw in Twitter’s code allowed threat actors to link accounts with the email addresses registered against them, potentially exposing the identities of their operators, the social network has confirmed.
Late last week, the company disclosed the flaw in a blog post, in which it apologized for the inconvenience and explained the problem was fixed as soon as it was discovered.
The exploit took advantage of the way Twitter treated failed log in attempts. When someone tried to log in using an email address or a phone number, even if they typed in the wrong password, Twitter used to do two things:
- Tell the user they’d submitted the wrong password
- Show the Twitter handle associated with that email address or phone number (if any exist)
This meant that people running pseudonymous accounts could have had their identities exposed.
Selling data on the dark web
The flaw was first spotted in mid-2021. At the time, Twitter said it couldn’t find any evidence of abuse. “This bug resulted from an update to our code in June 2021,” the company wrote.
A year later, Twitter learned through a press report that someone had actually compiled a list of user accounts with this method and tried to sell it.
Twitter apologized for the inconvenience, said it fixed the issue as soon it was unveiled, and said it will directly notify account owners that were impacted by this problem.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We are publishing this update because we aren’t able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors,” the company added.
The microblogging platform has been getting a lot of limelight lately, ever since eccentric billionaire Elon Musk said he intended to acquire it. The future of the deal will now be decided at the Delaware Chancery Court, after Musk attempted to bow out, ostensibly due to volume of bots operating on the platform.
- Here are the free and paid options for the best firewall software to stay protected online
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.