Twitter: Israel, Iran may have accessed users' phone numbers

Twitter said it discovered attempts by possible state actors to access the phone numbers, after a flaw in the company’s “contacts upload” feature was found.

By YONAH JEREMY BOB, REUTERS
People holding mobile phones are silhouetted against a backdrop projected with the Twitter logo in this illustration picture taken September 27, 2013. (photo credit: REUTERS/KACPER PEMPEL)
People holding mobile phones are silhouetted against a backdrop projected with the Twitter logo in this illustration picture taken September 27, 2013.
(photo credit: REUTERS/KACPER PEMPEL)
Israel and Iran each may have accessed users’ phone numbers associated with their Twitter accounts, Twitter said Tuesday morning.
The social-media giant said it had discovered attempts by possible state actors to access the phone numbers after a security researcher unearthed a flaw in the company’s “contacts upload” feature.
In a statement published on its privacy blog, Twitter said it had identified a “high volume of requests” to use the feature coming from IP addresses in Iran, Israel and Malaysia. There was no implication that some of the countries acted together as much as that each country separately exploited the same flaw.
“Some of these IP addresses may have ties to state-sponsored actors,” Twitter said without elaborating.
The Jerusalem Post has learned that former Israeli intelligence agents have discovered ways to gain backdoor access to various forms of social-media platforms. Entities associated with some of these former agents may have used this access in a variety of ways, sometimes including being able to influence political campaigns.
The Post cannot determine whether the former agents learned or used the techniques when they were still working for Israeli intelligence. But there have been numerous reports that top intelligence agencies, including American ones, are sometimes able to use such techniques.
Besides brute hacking of social-media platforms, it is well known that Russia, Iran and others use Twitter, Facebook and other networks to influence campaigns even without needing to hack other real users.
Their tactics have included using “bots” (accounts that pose as people but are actually computer-generated, fictitious accounts) posing as people who they are not; or ads bought by fictitious private-sector people or companies, who buy a large volume of ads without Facebook or Twitter realizing they are actually selling to state entities (often Russia or Iran), which are often hiding their anti-Western agenda.
A Twitter spokeswoman declined to say how many user phone numbers had been exposed, adding that the company was unable to identify all of the accounts that may have been impacted.
She said Twitter suspected a possible connection to state-backed actors because the attackers in Iran appeared to have had unrestricted access to the social-media platform, even though the network is banned there.
Tech publication TechCrunch reported on December 24, according to Reuters, that security researcher Ibrahim Balic had managed to match 17 million phone numbers to specific Twitter user accounts by exploiting a flaw in the contacts feature of its Android app. The online publisher said it was able to identify a senior Israeli politician by matching a phone number through the tool.
The feature, which allows people with a user’s phone number to find and connect with that user on Twitter, is turned off by default for users in the European Union, where stringent privacy rules are in place. It is switched on by default for all other users globally, the spokeswoman said.


Related Tags
Theft
hack