[HN Gopher] Twitter says an attacker used its API to match usern...
___________________________________________________________________
Twitter says an attacker used its API to match usernames to phone
numbers
Author : spzx
Score : 195 points
Date : 2020-02-04 06:51 UTC (1 days ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| TylerE wrote:
| It's a phone number, not your bank account.
|
| It's public information.
|
| Do you want to sue the phone telcos for publishing the phone
| book?
| XMPPwocky wrote:
| What's your phone number?
|
| I might call you and check- and check for VOIP numbers, too, so
| no fakes.
| [deleted]
| techsupporter wrote:
| > check for VOIP numbers, too, so no fakes
|
| Ah yes, continuing the fiction that anyone who uses a VoIP
| service must be a fraudster with a faked phone number.
|
| Just another in the long list of if you are not using Google
| or Microsoft e-mail and AT&T or Verizon or T-Mobile or Sprint
| postpaid mobile phone service, you're obviously up to no good
| and deserve whatever "anti-fraud" you get.
| Jestar342 wrote:
| > It's public information.
|
| No, it isn't.
| stuff4ben wrote:
| you have one of those private, encrypted phone numbers that
| prevents unauthorized usage? Get over yourself, it's public
| information.
| eternalny1 wrote:
| > you have one of those private, encrypted phone numbers
| that prevents unauthorized usage? Get over yourself, it's
| public information.
|
| Is it?
|
| If I find out your phone number, "stuff4ben", then I know
| who "stuff4ben" really is.
|
| People have been missing this for a LONG time now. Phone
| numbers are the unique identifier, especially with
| portability.
|
| You can use 50 different usernames across 50 different
| sites but with that phone number, I know they are all you.
|
| Which I can then link up to the 1,000 other sites you use
| those 50 usernames on without providing your phone number,
| and it's still likely you.
|
| The NSA's database must be very interesting out at the Utah
| Data Center. This is how it all works, because you can mask
| your IP address using Tor but you can't mask any of that
| unless you've taken very careful steps along the entire
| history of your internet usage, from the start.
| BoorishBears wrote:
| Eh, it pretty much is. At least in the US
|
| I have a pretty unique name, you can search my first name +
| "voter registration" and get my address, phone number, and
| birthdate
|
| Even if my name was common, it'd still be out there
| thiagomgd wrote:
| But on twitter you don't need to give anyone your real
| name. THAT'S the thing. There should be no way to tie your
| twitter account to you, unless you specifically allow them
| to share your information.
| ryanlol wrote:
| Isn't that really for twitter to decide?
|
| Besides, weren't the people who had opted out from the
| "Let people who have your phone number find you on
| Twitter" unaffected by this?
| BoorishBears wrote:
| Sure, that's what the other replies above the comment I
| replied to are saying, but this is specific to phone
| numbers
|
| A lot of people are not aware of the fact this
| information is all public
| throwaway55554 wrote:
| Just because it's public doesn't mean it should be shared with
| everyone.
|
| You wouldn't type your number into a HN comment, would you?
| Probably not because you know exactly what would happen.
| AlexandrB wrote:
| It may be public, but I don't see you posting your phone number
| on HN. Perhaps that's because you don't want everyone in the
| world to have it? Doesn't seem like an unreasonable expectation
| to me.
| mstolpm wrote:
| No, its only public if you choose to disclose it. Phone numbers
| are PII (personal identifying information) in regards to the
| GDPR.
| tripa wrote:
| Sorry for the slight pedantry, but PII is some American
| thing. GDPR deals with "personal data".
|
| It's playing on words until you find out the PII definition
| isn't the one that's used to settle GDPR claims.
| inetknght wrote:
| You're cutting hairs here. Phone numbers are protected
| under both European and US privacy protection laws.
| zepolen wrote:
| What's your phone number?
| RL_Quine wrote:
| What's your phone number? If it's public you don't mind sharing
| it. My address book is filled with people who would be very sad
| if that were made public.
| ckastner wrote:
| It's not public information, and it's considered identity-tied
| enough to be used in many forms of two-factor identification.
| ghaff wrote:
| Private vs. public isn't a fine-grained enough distinction.
| It's not private in the sense that most people give it out to
| lots of people so that they can be contacted. (Of course, in
| the case of landlines, they're mostly listed in a public
| directory somewhere but I assume we're talking mobile here.)
|
| BTW, you bank account number is the same way if you write
| checks.
|
| So they're not private in the way that some data (like health
| information) that you're only going to share very selectively
| is private. But it's mostly not public in the sense that
| you'll likely put it online unless maybe it's a business
| phone.
| moron4hire wrote:
| It is public information, and that's why it's ludicrous that
| it's used for two-factor authentication.
|
| Two-factor authentication is a dumb solution to a real
| problem. The problem should be properly solved, rather than
| hacked around with stupid solutions like "sending
| notifications to accounts that can easily be spoofed by
| willful actors".
| SAI_Peregrinus wrote:
| > Two-factor authentication is a dumb solution to a real
| problem. The problem should be properly solved, rather than
| hacked around with stupid solutions like "sending
| notifications to accounts that can easily be spoofed by
| willful actors".
|
| SMS Two-factor authentication is a dumb solution. Actual
| two-factor authentication like FIDO U2F tokens is a better
| solution. Even TOTP is better than SMS auth.
| jchw wrote:
| Your _identity_ is not public information on Twitter. Posting
| someone's phone number and Twitter handle, if they did not
| explicitly share it anywhere, would be doxing, against almost
| any site ToS, and potentially even illegal.
| sdan wrote:
| Are there any legal repercussions against doxxing
| jchw wrote:
| It depends on the jurisdiction but definitely. I am not a
| lawyer, though; I'll just defer to your favorite search
| engine on this one.
| glofish wrote:
| pff, considering that a large number of two factor
| authentication protocols send you SMS your phone number might
| just as well be your bank account
| moron4hire wrote:
| I'm sorry you're getting downvoted to oblivion on this. There
| are two cohorts on HN: those who think you can do whatever the
| hell you want as long as you put "startup" in front of it, and
| those who think anything a company does is the end of the
| world. And while I suspect these two cohorts overlap a lot,
| today you've definitely gotten hit by the latter.
| rezeroed wrote:
| Why on earth would you give twitter your phone number!? It's an
| ad company. Why on earth would you give an ad company your phone
| number?!
| [deleted]
| arminiusreturns wrote:
| Went on a tweet storm a few months ago. Twitter locked my account
| and forced me to give my phone number. I started getting spam
| calls at a level I didn't before (may be coincidence but am very
| tight about that sort of thing, I don't even give my grocery
| store my #) and I knew, just knew that at some point, this very
| thing would happen.
|
| Combine that with the story that the Saudi's had infiltrated
| twitter and were spying on users, especially in light of how they
| treat their opponents (Kashoggi), when do we stop supporting
| companies that do these obviously poor practices?
| vorpalhex wrote:
| > when do we stop supporting companies that do these obviously
| poor practices?
|
| Well, you just indicated you chose to continue supporting this
| company with the poor practice above. What would make you
| switch away from them? Clearly the spam calls weren't enough.
| Jamwinner wrote:
| Exactly. These people are petting the dog after it attacks
| their kid, oblivious to the training they are offering and
| reinforcing. We as a collective are just teaching big tech
| how to more effectively enslave us for profit.
| scottlocklin wrote:
| Saudi problem seems more severe! Call me crazy!
|
| Not that I use twitter; people who get on the thing seem to
| have some bizarro Stockholm syndrome.
| arminiusreturns wrote:
| It's a complicated issue. I am very privacy focused, the kind
| of person that doesn't do facebook, burns accounts on
| different forums regularly, etc, but I have to admit I
| enjoyed the information I got out of twitter while not
| enjoying some of their recent changes.
|
| Since the spam calls and the phone link in though, I have
| already changed my twitter-name and lost all followers, and
| since then I pretty much stopped tweeting. Haven't logged in
| in at least a month now.
|
| The main problem with adoption of an alternative is that I
| was using it to keep up with the kinds of people that aren't
| necessarily going to move to an alternative until it reaches
| some sort of critical mass. My RSS feeds are already full
| enough without having to add a bunch of random single person
| blogs to keep up with, so I'm not sure to be honest. Twitter
| was my main compromise to stay more socially connected with a
| wider array of people and it's hard to let go of that.
|
| Despite my desire for good federated and open source social
| networking, it isn't quite there yet, and so for the time
| being the one social outlet alternative I see glimmers of
| hope in is WT.Social.
| em-bee wrote:
| you can still follow people without logging into twitter.
| their posts are public. you can't DM with them though, and
| they also can't follow you. they also can't block you. but
| as far as "getting information out of twitter" is
| concerned, no account is needed
| _Understated_ wrote:
| > Twitter did not clarify who these third-parties were, but it
| did say that some of the IP addresses used in these API
| exploitation attempts had ties to state-sponsored actors, a term
| used to described either government intelligence agencies, or
| third-party hacking groups that benefit from a government's
| backing.
|
| Can someone explain this to me please? Are "state-sponsored
| hackers" this foolish to use the same IP addresses as previous,
| known IP's used in hacks?
|
| Or is this just the current "because terrorism / because
| pedophiles" used to cover incompetence?
|
| I don't get it...
| BurnGpuBurn wrote:
| Yeah I never believe the "state-sponsored" hackers claim, or
| any claim to the location of them, until those hackers get
| caught and convicted based on real evidence. It's basically
| guesswork anyway. And certainly to a company like Twitter who
| doesn't even have the capabilities to really investigate a
| hack, compared to say the NSA, CIA or similar spooks.
| meowface wrote:
| I've been involved in research of this nature, though not
| specifically attributing APTs. Think of it like old school
| detective work: every crime and every criminal leaves traces,
| including the traces of the ways they attempt to prevent being
| traced. This sometimes also includes attempts to impersonate
| other entities ("false flags"). No matter how many layers of
| indirection an attacker uses, there's going to be at least one
| thread to pull on.
|
| There's no equivalent to DNA testing, but sometimes you can
| have pretty high confidence in an attribution. To be clear,
| this goes incredibly far beyond looking at IP address
| geolocation or whatever. That's less than 1% of what you're
| looking at. That'd be like police assuming a death threat was
| signed with someone's real name.
|
| There's no way of knowing exactly what they identified or how
| they did it or if they got it right. I wish more companies
| would release such information and how they conducted the
| entire analysis (some do), though I understand that may not be
| possible due to legal and counter-intelligence reasons.
| mikey_p wrote:
| The deepest irony of all this is that they require phone numbers
| to verify accounts, which should cut down on fake accounts, yet
| they had a large amount of fake accounts using this very feature,
| which means verifying with a phone number may not be super
| effective anyway...
| kwijibob wrote:
| I factory reset my phone so my lost my gauth 2fa for Twitter.
| I'm locked out now.
|
| I cannot get Twitter to let me back in even though I can verify
| my email and phone SMS.
|
| I didn't make a backup code because I assumed I could use
| email/SMS in this situation. It seems not.
|
| So another smaller irony is that you cannot make valid use of
| your linked phone number that they nag you for.
| kingosticks wrote:
| Any chance this means they'll get rid of their popup that asks
| for my phone number everytime I visit. You only have to refresh
| the page to get rid of it but it is annoying. This incident shows
| they don't know what they are doing and don't respect their
| user's data.
| mLuby wrote:
| Why is "impacting" better than "affecting?"
| dghughes wrote:
| For starters impact is a noun and affect is a verb.
|
| It's probably textbook risk analysis lingo, an impact is
| measurable but an affect is not.
|
| Usually an impact scale is created to define what impact level
| 5 would involve versus impact 1. It's still arbitrary but more
| configurable than affect.
|
| Just my two cents, no guarantee.
| [deleted]
| lowdose wrote:
| Kind of ironic Twitter can't protect data theft but spends
| considerable amount of resources to detect Deep Fakes.
| krapp wrote:
| How is that ironic, those are two entirely different issues.
| daenz wrote:
| At some point we'll realize that privacy invasive policies are a
| huge security liability, right?
| thiagomgd wrote:
| I was already thinking of deleting my twitter account. This is
| just an extra incentive
| buboard wrote:
| phone numbers are better than ips for surveillance. they follow
| you everywhere.
| Scoundreller wrote:
| I eagerly look forward to a phone-number free world.
|
| Would help a lot with global mobility.
| simonebrunozzi wrote:
| Class action?
| markovbot wrote:
| Unlikely to succeed. This sort of invasive, drag-net data
| collection without user knowledge or consent is considered
| standard practice.
|
| All twitter users "agreed" to it when they created their
| account (via the legal fiction that humans read and agree to
| terms of service)
| cmcd wrote:
| I didn't create a twitter account but my information could
| have been leaked via this process.
| markovbot wrote:
| Is there some law against them collecting your information
| from your friends without your consent? I'm not a lawyer,
| just an observer of how these sort of things regularly go,
| and I'm going to guess that what they did here was 100%
| legal.
|
| Obviously this is morally abhorrent, but in the US the laws
| are written to protect large corporations like Twitter, not
| their victims.
| paulddraper wrote:
| That's not damages though.
| jdc wrote:
| I'm not convinced that "standard practice" is a sufficient
| legal defense.
| 3fe9a03ccd14ca5 wrote:
| Twitter could go a long way in solving this issue by _not
| requiring a phone number_ for an account. While you don't need
| one to sign up, after some short period of time you'll be locked
| out if you don't provide one.
| jrochkind1 wrote:
| > The endpoint matches phone numbers to Twitter accounts for
| those people who have enabled the "Let people who have your phone
| number find you on Twitter" option and who have a phone number
| associated with their Twitter account.
|
| I don't recall hearing about this option. I followed the link
| they helpfully included[1] to see if I had it set.
|
| I found that I DID have "Let people who have your phone number
| find you on Twitter" checked. But did NOT have "Let people who
| have your email address find you on Twitter" checked.
|
| It's possible I actually chose that at some point, for some
| reason decided I was okay with "by phone number", but not "by
| email". But that doesn't sound like me, I'm wondering if I
| unchecked the "email address" one at some point when the "phone
| number" one didn't exist; then they later added the "phone
| number" one defaulted to on?
|
| I am guessing they intend to default all of these to on (opt-out
| rather than opt-in), cause few people would take the trouble to
| go and opt-in even if they didn't mind or would like it.
|
| But... you know. Anyway, I've unchecked both of them now.
|
| I don't entirely understand the vulnerability, it sounds like it
| was "letting people who have your phone number find you on
| Twitter" just as advertised. "we immediately made a number of
| changes to this endpoint so that it could no longer return
| specific account names in response to queries." OK, so... you
| can't use the API to do that anymore, but can still use the
| twitter web app directly? I mean, it says right there you are
| letting people who know your phone number find you on twitter,
| which I would assume means find your account name.
|
| It kind of sounds like they realized this whole feature was
| privacy-violating, or would be perceived as such, but they
| haven't gotten rid of the feature... I'm confused what they
| considered the vulnerability and what they changed or didn't, and
| to what extent usernames and phone numbers can still be matched
| by a third party on twitter.
|
| [1]: https://twitter.com/settings/contacts
| segmondy wrote:
| I have the inverse, I never did check it myself. That I can
| assure you of. I don't care for anyone finding me on social
| media.
| EGreg wrote:
| Honestly, there is a world of difference between having an API
| to do things in bulk and only allowing rate-limited clients to
| do something.
|
| Both require authentication (although new court rulings may
| technically be outlawing all charging and quotas for APIs!)
|
| But the API has far more permissive bulk actions. Of course,
| with a botnet and enough time and effort one could execute a
| sybil attack to circumvent any per-account quotas, and use per-
| resource quotas to launch a DDOS attack on some resource to any
| non-authenticated parties.
|
| I wish there was - service to prevent sybil attacks somehow.
| Just make it exponentially more expensive to create multiple
| identities / accounts on networks. Has anyone got _links_ to
| papers or projects or _anything_ in that direction? It would be
| hugely valuable.
|
| PS: Twitter and other startups don't particularly care about
| sybil attacks and fake users when they are growing, it helps
| them "innocently" report great user numbers to VCs. So they
| don't spend much effort preventing sleeper bots from joining in
| the network's growth phase.
| jsnell wrote:
| > (although new court rulings may technically be outlawing
| all charging and quotas for APIs!)
|
| That seems quite hard to believe. Do you have a link?
| EGreg wrote:
| https://news.ycombinator.com/item?id=22180559
| jsnell wrote:
| Thanks.
|
| That link isn't about APIs, isn't about outlawing
| charging or quotas, and appears to just be about a
| preliminary injuction rather than a generally applicable
| ruling. So I'd argue that it doesn't in any way support
| your initial claim.
| jrochkind1 wrote:
| > a world of difference between having an API to do things in
| bulk and only allowing rate-limited clients to do something.
|
| Sure, the difference you speak of is only and exactly if the
| rate-limiting on your API is different than on the other
| rate-limited (web?) clients, right?
|
| It doesn't have to be, but it often is, for various reasons
| intentional or accidental. Making the rate limiting the same
| might be another way to fix the "vulnerability" then? It
| depends on what they consider the vulnerability exactly; if
| you don't know what it is you consider the problem, it's hard
| to fix it, or for you or anyone else to judge if you've fixed
| it! I find their statement to be vague on what the problem
| was exactly, as above.
| rcthompson wrote:
| Based on the "large network of fake accounts", I'm guessing the
| attackers were doing something to effectively query every
| possible phone number and associate an account to each one.
| ramses0 wrote:
| @fake_twitter_account_212_111_xxxx w/ a phonebook contact
| list of "212-111-0000" => "212-111-9999". Lather, rinse,
| repeat. You'd need ~10M accounts w/ ~1000 phone numbers in
| each, and that can be reduced by some percentage if you know
| how U.S. phone numbers are assigned (ie: don't check for
| xxx_555_xxxx numbers, prefer highly populated prefixes, etc.)
|
| Good thing they SUSPENDED those accounts! /s
| rcthompson wrote:
| You can probably narrow down the list to just existing
| mobile numbers by sending a text message to each one, and
| then just do this for ones where the text message actually
| goes through.
| tzs wrote:
| > It's possible I actually chose that at some point, for some
| reason decided I was okay with "by phone number", but not "by
| email". But that doesn't sound like me, I'm wondering if I
| unchecked the "email address" one at some point when the "phone
| number" one didn't exist; then they later added the "phone
| number" one defaulted to on?
|
| I looked at mine, which I'm sure I've never touched before
| because I never cared about Twitter settings. As with my
| Facebook account, my Twitter account was mostly just created to
| get an acceptable name in case someday I actually wanted a
| serious social media presence.
|
| Both are unchecked. The account was created in early 2008.
| fernandotakai wrote:
| yeah, same. account created in oct 2007, never checked and i
| have everything turned off.
| disiplus wrote:
| also unchecked,and i have my phone number there.
| nyuszika7h wrote:
| If you're in the EU they were likely disabled in 2018 as part
| of the GDPR prompt.
| arkadiyt wrote:
| You can also delete your phone number completely - there's no
| real reason for Twitter to have it, especially now that it's
| not required for 2fa.
| dylz wrote:
| You will receive account suspensions shortly after / days
| after removing it, at least in my experience.
| dandellion wrote:
| That happened to me, although I contacted support and they
| restored it the following day, no questions asked.
| larrik wrote:
| Didn't you use to tweet via SMS? I assume that's still an
| option? Seems like a valid reason for them to have it.
| tedunangst wrote:
| They turned it off after somebody simjacked jack.
| [deleted]
| GrumpyNl wrote:
| One of the reasons i never installed the twitter app. Will keep
| using the web page.
| deft wrote:
| What happened: Twitter asks users on sign up to scan their
| contacts (read: steal and upload them). If you say no, twitter
| asks again and again every day / every login until you finally
| allow it to. Twitter builds a huge and unnecessary db of users
| and phone numbers, as well as non-users IDs tied to phone
| numbers. Someone uses an API to steal this info that in most
| cases twitter only collected by tricking their users / forcing
| it.
|
| Anyone affected by this should be suing twitter for even
| collecting this information! My friend can give away my phone
| number because of this data collection.
| amluto wrote:
| Apple could nip this in the bud: don't allow apps to read a
| full contact list _at all_. Use a contact picker when needed.
| twodave wrote:
| This certainly would break plenty of valid use cases for a
| feature like this. More likely they ought to have policy in
| their developer docs to scope reasonable uses of the full
| contact list and start rejecting updates for applications
| that violate the new rule.
| Zenst wrote:
| >Anyone affected by this should be suing twitter for even
| collecting this information! My friend can give away my phone
| number because of this data collection.
|
| Given the ramifications on leaking Name with phone number of
| people who didn't agree directly anything with Twitter and just
| had there contact details trawled by any of their friends
| signing up. Not good as with that, hijacking phone numbers has
| been done many ways and times, even the CEO of Twitter had that
| stunt pulled upon him. What with 2FA for many being a text
| message sent to your phone number. The ramifications of this
| could be bigger than they first appear and remember. They only
| found this, how long has this been open to such abuse. So
| anybody who had their phone number hijacked in X period of
| time, this `might` be a possible explanation in some of those
| instances.
|
| Legally - no idea how this will pan out, but certainly not be
| the last we read about this.
| xorfish wrote:
| You can also match phone numbers and Instagram accounts
| RKearney wrote:
| A trick I found to stop this nonsense is, at least on iOS,
| answer yes to the Application's custom dialog to ask
| permission. This will then invoke the iOS security dialog where
| you can click "No" and never be asked again.
|
| Generally what I see happening is apps will ask the user if
| it's okay, and only when the user says yes will they execute
| the necessary system call to request access. In iOS at least,
| if a user clicks No the app can never prompt for that
| permission ever again. Until the app makes this formal request
| to the operating system, it does not show up under privacy (as
| the app had never asked for it in the first place).
| vincentmarle wrote:
| Your friends/family probably won't do this, so your phone
| number is going to be shared with Twitter anyways.
| ngvrnd wrote:
| this worked for me also.
| lonelappde wrote:
| What does Apple allow that for App Store apls? That's obvious
| circumvention of iOS's privacy control regime.
| toast0 wrote:
| My post below is wrong, please move along. Keeping as-is,
| so the replies make sense. Thanks repliers!
|
| The native prompts don't allow for app specific explanatory
| text to be presented. I haven't reviewed iOS guidelines,
| but Google provides guidance to inform users of why you're
| asking for permissions before you do it, and I would guess
| Apple would suggest the same as well. Pestering people for
| access once a day is probably not within the scope of the
| guidelines though.
| cactus2093 wrote:
| Incorrect, iOS does allow explanatory text on the system
| prompt, in fact it's required.
|
| There is no good reason for Apple to allow apps to mask
| permission requests with their own dialogs, it's just a
| case of not bothering to fix this loophole.
| diebeforei485 wrote:
| > The native prompts don't allow for app specific
| explanatory text to be presented
|
| Not true. iOS apps can specify explanatory text to be
| included in the native prompt. In fact they are required
| to do this, since at least two years ago.
|
| The NSContactsUsageDescription string (in the Info.plist
| file) is the place to specify this.
|
| https://developer.apple.com/library/archive/documentation
| /Ge...
| diebeforei485 wrote:
| Ideally, iOS would have an option to say "always deny
| Contacts access and never bring up a dialog again".
|
| I don't share my contacts with any app, and I hate being
| asked again and again for every single new app. No means no.
| twodave wrote:
| Actually for most things in iOS, once the system dialog has
| been brought up, the operating system won't allow it to be
| brought up again. It won't stop the application in question
| from nagging you, but at least then even if you click
| "allow" on the application pop-up the system will still
| require you to go into the app permissions and explicitly
| allow it.
| [deleted]
| rchaud wrote:
| It's for this reason that I use PWAs wherever possible. Right
| now I'm using it for Twitter and Uber. Tired of turning off
| permissions and then having to do it again when apps auto-
| update and restore the original permissions.
| drewmol wrote:
| >Anyone affected by this should be suing twitter for even
| collecting this information! My friend can give away my phone
| number because of this data collection.
|
| If you made some agreement as to how your friend could use your
| phone number and 'sharing with Twitter' is a violation then you
| could sue them I suppose. Annoying as this data collection is,
| labeling information about you as only yours is incorrect, it's
| your friends and Twitters's (and Google/FB/AMZ/etc.)
| information too.
| fireattack wrote:
| > If you say no, twitter asks again and again every day / every
| login until you finally allow it to.
|
| Any proof about this claim? I use Twitter on Android and web
| frequently and I only refuse such request once or twice.
|
| Bottom line, it doesn't "ask again and again every day".
| zippergz wrote:
| I've been using Twitter daily pretty much continuously since
| 2008 and I don't remember ever being prompted to upload
| contacts. I can believe it has happened at some point, but it
| certainly doesn't repeatedly ask me. I use the web interface
| and the first-party iOS app (though over the years I have
| also used various third-party apps on both iOS and macOS).
| throwiay987 wrote:
| Consider yourself lucky, any account i create without a phone
| is immediately flagged\blocked and if i do use
| mine(personal), i get asked to add permissions like the
| parent said every single time.
| fireattack wrote:
| Account associated with a phone number is totally different
| from "scan your contacts".
| nacs wrote:
| If you use the web client, they have a header that asks for
| your phone number repeatedly until you give it.
| fireattack wrote:
| OP was talking about "Twitter asks to scan your contacts",
| not to add a phone number.
| diebeforei485 wrote:
| They should not allow phone number -> handle lookups. That is
| quite creepy.
|
| A much more privacy-respecting method would be to only allow
| lookups if _both_ parties have each other added.
| busterarm wrote:
| So I guess Twitter applied for a technology embargo exemption to
| Iran?
|
| I mean, I guess that's been public knowledge already that they
| serve there, but the overwhelming majority of public companies
| block the IP space of every country on the embargo list.
|
| I'd think that serving Iran right now would be fairly politically
| untenable
| xxpor wrote:
| Most of Iran's leadership have active twitter accounts, so I'd
| have to guess so.
| spoondan wrote:
| It's interesting to me that these kinds of things are not
| catalogued and advertised like other vulnerabilities. This is an
| exploitable information leak using an endpoint that many other
| services likely have.
| dickjocke wrote:
| I was rejected with no explanation from a Twitter API key,
| despite it being for a real account that must appear very normal
| in every respect.
|
| I think it's kind of funny that they are so draconian with
| hobbyists and people making toys, but that any motivated bad
| actor can probably access most of the same endpoints and services
| by virtue of the fact that they have to be accessible for people
| to use Twitter.
| exabrial wrote:
| I don't even feel sorry for them. Many many times over, industry
| experts told people: SMS is NOT 2FA and should not be used as
| such. Great to see karma served, and I look forward to U2F or
| Webautn on my twitter account soon.
| rchaud wrote:
| What's there to feel sorry about? Twitter isn't facing any
| regulatory scrutiny over this, let alone possible fines.
| rewq4321 wrote:
| I was amazed when I found out about this "trick" a year or two
| ago. It basically means that if you've used your personal email
| or phone number to create an "anonymous" twitter handle (e.g. a
| whistleblower, leaker, etc.), then it's not anonymous at all.
|
| Someone can just put batches of emails into their gmail account
| (e.g. journalists' public emails, their employees' emails, other
| suspects), then use the Twitter contacts-import functionality to
| import those emails and match them up with Twitter account
| handles. It's insane.
|
| I first saw people explaining how to do this on Quora a year or
| two ago, but here's another explanation that was posted just a
| few days before this announcement:
| https://www.quora.com/How-228/answer/William-Boyd-181
|
| Twitter MUST have known about this loophole for many years. It's
| nigh on impossible that they are that incompetent, so, as far as
| I can see, they were just ignoring the loophole because they
| didn't want to slow down their growth by removing the feature. As
| with all social networks, the most important factor in keeping
| users is to quickly get them a network of followers and
| followees.
|
| EDIT:
|
| > "People who did not have this setting enabled or do not have a
| phone number associated with their account were not exposed by
| this vulnerability," Twitter said.
|
| This spokesperson is extremely sneaky. They completely neglect to
| mention that the "let others find me by _email_ " is checked by
| default, and so we can only assume that anyone who has a publicly
| scrape-able email _somewhere_ (basically everyone, because you
| 've got to count all the leaked databases too - see:
| haveibeenpwned.com) has had their Twitter handle linked to that
| email. Atheist bloggers in Saudi Arabia, whistleblowers in the
| US, opposition activists in Russia, and so on - all potentially
| fucked over (past tense) by this.
|
| And while I'm ranting: What's worse is that they apparently
| _haven 't disabled that API_. They've just removed a few big
| crawler swarms. But the thing is, Russia / Saudi Arabia / etc.
| probably have narrowed their suspects down to 500 (or so) emails
| anyway, so they can discover the heretic/activist in a SINGLE API
| REQUEST! So Twitter has done _nothing_ to fix this loophole.
| yomly wrote:
| Yes this is the thing everyone should be talking about. Think
| of any of the bigger Twitter posters on Hong Kong. If anyone of
| the ring leaders didn't decouple their twitter handle from
| everything else they will have a giant bullseye painted on them
| by CCP
| sakisv wrote:
| From Twitter's statement:
|
| > People who did not have this setting enabled or do not have a
| phone number associated with their account were not exposed by
| this vulnerability.
|
| This is a bit disingenuous, given that you can't really open an
| account unless you provide a phone number to "verify" it.
|
| Edit for clarification:
|
| As gojomo said below
| (https://news.ycombinator.com/item?id=22233612) you may not need
| to provide it during sign-up, but your new account is almost
| immediately locked for "suspicious activity" and you need to
| provide a phone to unlock.
| jchw wrote:
| Indeed: using email based sign up usually immediately triggers
| a suspension. It can take as little as a few minutes.
| dicytea wrote:
| Does this vulnerability affect people who added a phone number
| but then removed them? Last time I tried, this method was
| effective for getting around the "suspicious activity" lock.
| caseysoftware wrote:
| Even if you disconnect the number, they still keep it on
| file.
|
| I have a small network of legitimate accounts that they've
| suspended a few times. In this last round of suspensions, I
| can't reset any of them with my phone numbers any more.
| raxxorrax wrote:
| The whole phone number thingy for added security 2 factor auth
| has been quite the scam.
| pingyong wrote:
| Why wouldn't you though, that's gotta be pretty juicy data.
| You can compare phone numbers across so many different
| databases now, makes profile creation 10x more efficient. Not
| really surprising that _everyone_ wants your phone number
| badly these days.
|
| Microsoft does the same thing btw. Was really fun for a
| friend of mine who registered a Microsoft account for mixer,
| forgot about, bought Halo, needed an MS account to log in,
| thought hey I already have one, and instantly got locked out
| because it didn't have a phone number.
| bathtub365 wrote:
| Having something as personal as a phone number should be
| seen as a liability, not an asset.
| captn3m0 wrote:
| I bought a dress, a cookie, and a book yesterday from a
| mall in India.
|
| All 3 asked me for my phone number. It's getting ridiculous
| nso wrote:
| I went to the apple store to buy a router. It took me
| involving the manager before the guy let me pay without
| leaving my name and address.
| denzil_correa wrote:
| India is just ridiculous in this regard. Recently,
| there's some app at security gates at the entrance of
| apartments that asks for phone numbers. It's strange that
| one needs a phone number to visit my friend.
| andrewzah wrote:
| Do you put your real number in for those kinds of
| purchase? I generally just put in a random 800- number.
| lonelappde wrote:
| Doesn't India link phone numbers to bank accounts?
| switch007 wrote:
| It's batshit crazy. But the PR campaigns/marketing by the
| companies that want your phone number for other reasons seems
| to have worked.
| kjaftaedi wrote:
| That might be the case now, but twitter didn't always require
| them.
|
| I wouldn't be surprised if there are 10s of millions of
| accounts without phone numbers associated with them.
| [deleted]
| atomi wrote:
| They "requested" my phone number after the fact. And by
| "requested" I mean I wasn't exactly given a choice. I wasn't
| able to access my account until I provided a number. Of
| course all this was for "security" reasons. Personally I'd
| prefer to use Google authenticator anyway.
| SkyBelow wrote:
| I feel as if one of the many elephants being overlooked
| here is how 'security' is being abused to further data
| collection. When an account gets locked now, I don't think
| it is for actual security, but to increase data collection.
| Tragedy of the commons being exploited by major websites.
| The same ones which also want to hold themselves as the
| arbiter of truth (or at least as one of the Arbiter's
| official spokesmen).
| cmroanirgo wrote:
| I just checked the twitter signup form, which does have a phone
| input. But there's a toggle saying "use email instead".
|
| So, no phone number is required.
| gojomo wrote:
| New accounts without an associated phone number tend to face
| a lock & challenge, for "suspicious activity" (even if
| they've never posted), which can only be reversed by adding a
| phone number.
|
| So, Twitter is _de facto_ requiring phone numbers on many
| more accounts than the initial sign-up flow might indicate -
| to the detriment of user privacy, & increasing the damage of
| compromises like this one.
| tialaramex wrote:
| Note that activities which are potentially suspicious
| aren't just about posting, it includes following people,
| because that makes their follower count go up, and the
| whole point of displaying that count is most people want to
| appear popular - and so of course people create bogus
| followers.
|
| I agree that Twitter using this to get people to give them
| PII those don't want Twitter to have, especially when
| Twitter aren't a good custodian of that PII is terrible,
| but it's not as though Twitter's other option (anybody can
| mint a thousand bogus Twitter followers with no pushback
| from Twitter) looks great either.
| jammygit wrote:
| I never used twitter until last year when I made an
| account. They flagged me for following 5 people and
| liking some posts, locked me out, and notified me that
| any attempts to send support a request would be ignored.
| I can't even log in or contact anyone to delete the
| account.
|
| I guess the future is to be given the middle finger so
| eagerly by bad ai all the time
| itronitron wrote:
| If using the application for its intended purpose makes
| your account seem not-human, just who or what did they
| design the application for?
| retox wrote:
| My account (created without entering a phone number) was
| locked immediately after logging in the first time, from
| the same IP I signed up with, without performing any
| actions. This was over 12 months ago.
| gojomo wrote:
| Yes, Twitter now considers everything "suspicious",
| including the minimal steps required to use Twitter as a
| logged-in account at all, like "following people" (even
| just a few).
|
| And thus, Twitter more-or-less requires phone numbers
| from everyone. This increases the risk that Twitter's
| users will be "doxxed" - and even, when those users anger
| certain large violent organizations, the risk they'll be
| assassinated.
| 80386 wrote:
| > I agree that Twitter using this to get people to give
| them PII those don't want Twitter to have, especially
| when Twitter aren't a good custodian of that PII is
| terrible, but it's not as though Twitter's other option
| (anybody can mint a thousand bogus Twitter followers with
| no pushback from Twitter) looks great either.
|
| Third option: don't display follower counts.
| newnewpdro wrote:
| They let you create an account without a phone number, and
| immediately afterwards lock the account until you provide
| one, for alleged "suspicious activity".
|
| Try it.
| teh_klev wrote:
| Can confirm this. Tried to set up a new Twitter account for
| business use, got the phone number challenge but wasn't
| able to go any further because the number I wanted to use
| was "already in use" i.e. my own number I already stupidly
| associated with my personal twitter account.
|
| To add insult to injury I've been suspended permanently
| because Twitter's "offence" AI can't distinguish between
| black humour and a direct physical threat. But that's
| another story.
| slig wrote:
| They insta-banned two new accounts from me (for side-
| projects) after I entered my phone-number which was
| associated with my personal account. They went from a no-
| law-free-spam zone to shoot-first-and-don't-ask-later.
| 80386 wrote:
| The same thing happened to me. But I was somehow able to
| create a new account on Microsoft Edge. It hasn't been
| disabled, but I don't plan to use it. If they want to
| kill their own business, I say let them.
| LegitShady wrote:
| Disagree. If you make a Twitter account and then use it
| without a phone number it will quickly be locked to force you
| to prove you're human. It took less than 3 hours for mine.
| They want my phone number to unlock it enough to delete the
| account. No way.
| [deleted]
| the8472 wrote:
| Instead of providing a phone number you can also email support
| and complain about the account lock. But yeah, it's a pretty
| scummy bait and switch behavior.
| rahuldottech wrote:
| I had to send at least six emails to get this to work. _Six._
| notrandom wrote:
| I personally tried this. Pregnant silence.
| drewmol wrote:
| TL;DR
|
| Twitter's data collection/friend matching feature used an API
| endpoint that returned usernames given phone numbers. A security
| researcher exposed it publicly, Twitter patched it (to just
| return a token or something). Twitter investigated and just
| released their findings "out of an abundance of caution and as a
| matter of principle." that it's clearly been "exploited" many
| times in the past. Twitter probably charges for the data returned
| by this "exploit". It doesn't look like the settings offered stop
| Twitter from selling this "exploit" as a service for
| "promotional" content.
|
| It's seems strange not care that Twitter sells your username but
| care they also accidently gave it out for free in the past.
| jraph wrote:
| I read the article and thought, "well, yes, the option that
| needed to be enabled on the account for the attack to work
| describes what the API did, what is the bug?"
|
| I found the original notice from twitter [1] easier to understand
| (maybe change the URL of this post?) and it does not speak about
| a bug. Twitter did implement a change so that the attack cannot
| be done anymore though.
|
| I did not understand the fix itself, it seems the API cannot be
| used for its intended use anymore?
|
| [1] https://privacy.twitter.com/en/blog/2020/an-incident-
| impacti...
| drewmol wrote:
| The intended use was for a user to submit their contact data
| (phone book). Twitter's API would return a list of usernames
| matching those numbers for the purpose of
| requesting/notifying/suggesting potential friends (in exchange
| for their* data used to build a social graph/sell). Twitter
| patched/updated the API which means (the API probably returns a
| token or key or something that doesn't reveal the username now)
| if someone wants to submit a list of phone numbers to get their
| Twitter usernames they'll have to pay Twitter[0] or use a
| different "exploit".
|
| * if someone has _my_ phone number in _their_ phonebook and
| gives it to Twitter - it becomes our data.
|
| [0] https://business.twitter.com/en/help/overview/what-are-
| promo...
| sdan wrote:
| Isn't this old news? Thought this came out a few months ago.
| boudin wrote:
| According to the article, Twitter discovered the problem on the
| 24th of December 2019.
| milofeynman wrote:
| I swear I saw someone mention this a month or two ago in HN
| comments. They said that they believed Twitter's API was being
| used to unmask accounts by state actors. I can't find the
| original article now.
| jsnell wrote:
| You're thinking of
| https://news.ycombinator.com/item?id=21873229
|
| That was slightly different, since at that time the only
| information we had that this unethical "security researcher"
| had exploited the bug for months on billions of phone numbers
| and only disclosed it once Twitter blocked them.
|
| This announcement is different in that Twitter appear to be
| saying that this was being abused by other actors as well.
| milofeynman wrote:
| That was exactly the comment. Thank you! It sounds like
| everyone and their mother was exploiting the API based on
| today's post. Thanks again.
___________________________________________________________________
(page generated 2020-02-05 23:00 UTC)